[PATCH 2/2] selftests: rtnetlink: add ipsec packet offload test

[PATCH 2/2] selftests: rtnetlink: add ipsec packet offload test

[Feng Wang]

From: wangfe <wangfe@google.com>

Duplicating kci_test_ipsec_offload to create a packet offload test.
Using the netdevsim as a device for testing ipsec packet mode.
Test the XFRM commands for setting up IPsec hardware packet offloads,
especially configuring the XFRM interface ID.

Signed-off-by: wangfe <wangfe@google.com>
---
 tools/testing/selftests/net/rtnetlink.sh | 124 +++++++++++++++++++++++
 1 file changed, 124 insertions(+)

diff --git a/tools/testing/selftests/net/rtnetlink.sh b/tools/testing/selftests/net/rtnetlink.sh
index bdf6f10d0558..4ce31625d593 100755
--- a/tools/testing/selftests/net/rtnetlink.sh
+++ b/tools/testing/selftests/net/rtnetlink.sh
@@ -24,6 +24,7 @@ ALL_TESTS="
 	kci_test_macsec_offload
 	kci_test_ipsec
 	kci_test_ipsec_offload
+	kci_test_ipsec_packet_offload
 	kci_test_fdb_get
 	kci_test_neigh_get
 	kci_test_bridge_parent_id
@@ -841,6 +842,129 @@ EOF
 	end_test "PASS: ipsec_offload"
 }
 
+#-------------------------------------------------------------------
+# Example commands
+#   ip x s add proto esp src 14.0.0.52 dst 14.0.0.70 \
+#            spi 0x07 mode tunnel reqid 0x07 replay-window 32 \
+#            aead 'rfc4106(gcm(aes))' 1234567890123456dcba 128 \
+#            sel src 14.0.0.52/24 dst 14.0.0.70/24
+#            offload packet dev ipsec1 dir out if_id 1
+#   ip x p add dir out src 14.0.0.52/24 dst 14.0.0.70/24 \
+#            tmpl proto esp src 14.0.0.52 dst 14.0.0.70 \
+#            spi 0x07 mode tunnel reqid 0x07 \
+#            offload packet dev ipsec1 if_id 1
+#
+#-------------------------------------------------------------------
+kci_test_ipsec_packet_offload()
+{
+	local ret=0
+	algo="aead rfc4106(gcm(aes)) 0x3132333435363738393031323334353664636261 128"
+	srcip=192.168.123.3
+	dstip=192.168.123.4
+	sysfsd=/sys/kernel/debug/netdevsim/netdevsim0/ports/0/
+	sysfsf=$sysfsd/ipsec
+	sysfsnet=/sys/bus/netdevsim/devices/netdevsim0/net/
+	probed=false
+
+	if ! mount | grep -q debugfs; then
+		mount -t debugfs none /sys/kernel/debug/ &> /dev/null
+	fi
+
+	# setup netdevsim since dummydev doesn't have offload support
+	if [ ! -w /sys/bus/netdevsim/new_device ] ; then
+		run_cmd modprobe -q netdevsim
+		if [ $ret -ne 0 ]; then
+			end_test "SKIP: ipsec_packet_offload can't load netdevsim"
+			return $ksft_skip
+		fi
+		probed=true
+	fi
+
+	echo "0" > /sys/bus/netdevsim/new_device
+	while [ ! -d $sysfsnet ] ; do :; done
+	udevadm settle
+	dev=`ls $sysfsnet`
+
+	ip addr add $netdevsimip dev $dev
+	ip link set $dev up
+	if [ ! -d $sysfsd ] ; then
+		end_test "FAIL: ipsec_packet_offload can't create device $dev"
+		return 1
+	fi
+	if [ ! -f $sysfsf ] ; then
+		end_test "FAIL: ipsec_packet_offload netdevsim doesn't support offload"
+		return 1
+	fi
+
+	# flush to be sure there's nothing configured
+	ip x s flush ; ip x p flush
+
+	# create offloaded out SA
+	run_cmd ip x p add offload packet dev $dev dir out src $srcip/24 \
+	    dst $dstip/24 tmpl proto esp src $srcip dst $dstip spi 9 \
+	    mode tunnel reqid 42 if_id $ipsec_if_id
+
+	run_cmd ip x s add proto esp src $srcip dst $dstip spi 9 \
+	    mode tunnel reqid 42 $algo sel src $srcip/24 dst $dstip/24 \
+	    offload packet dev $dev dir out if_id $ipsec_if_id
+
+	if [ $ret -ne 0 ]; then
+		end_test "FAIL: ipsec_packet_offload can't create SA"
+		return 1
+	fi
+
+	# does offload show up in ip output
+	lines=`ip x s list | grep -c "crypto offload parameters: dev $dev dir"`
+	if [ $lines -ne 1 ] ; then
+		check_err 1
+		end_test "FAIL: ipsec_packet_offload SA missing from list output"
+	fi
+
+	# setup xfrm interface
+	ip link add $ipsecdev type xfrm dev lo if_id $ipsec_if_id
+	ip link set $ipsecdev up
+	ip addr add $srcip/24 dev $ipsecdev
+
+	# we didn't create a peer, make sure we can Tx
+	ip neigh add $dstip dev $dev lladdr 00:11:22:33:44:55
+	# use ping to exercise the Tx path
+	ping -I $ipsecdev -c 3 -W 1 -i 0 $dstip >/dev/null
+
+	# remove xfrm interface
+	ip link delete $ipsecdev
+
+	# does driver have correct offload info
+	run_cmd diff $sysfsf - << EOF
+SA count=1 tx=3
+sa[0] tx ipaddr=0x00000000 00000000 00000000 00000000
+sa[0]    spi=0x00000009 proto=0x32 salt=0x61626364 crypt=1
+sa[0]    key=0x34333231 38373635 32313039 36353433
+EOF
+	if [ $? -ne 0 ] ; then
+		end_test "FAIL: ipsec_packet_offload incorrect driver data"
+		check_err 1
+	fi
+
+	# does offload get removed from driver
+	ip x s flush
+	ip x p flush
+	lines=`grep -c "SA count=0" $sysfsf`
+	if [ $lines -ne 1 ] ; then
+		check_err 1
+		end_test "FAIL: ipsec_packet_offload SA not removed from driver"
+	fi
+
+	# clean up any leftovers
+	echo 0 > /sys/bus/netdevsim/del_device
+	$probed && rmmod netdevsim
+
+	if [ $ret -ne 0 ]; then
+		end_test "FAIL: ipsec_packet_offload"
+		return 1
+	fi
+	end_test "PASS: ipsec_packet_offload"
+}
+
 kci_test_gretap()
 {
 	DEV_NS=gretap00
-- 
2.47.0.199.ga7371fff76-goog

Re: [PATCH 2/2] selftests: rtnetlink: add ipsec packet offload test

[Jakub Kicinski]

On Mon,  4 Nov 2024 15:33:15 -0800 Feng Wang wrote:
> From: wangfe <wangfe@google.com>
> 
> Duplicating kci_test_ipsec_offload to create a packet offload test.
> Using the netdevsim as a device for testing ipsec packet mode.
> Test the XFRM commands for setting up IPsec hardware packet offloads,
> especially configuring the XFRM interface ID.

CI appears to not be on board:

# 26.29 [+0.07] RTNETLINK answers: Operation not supported
# 26.36 [+0.07] FAIL: ipsec_packet_offload can't create SA

https://netdev-3.bots.linux.dev/vmksft-net/results/846081/25-rtnetlink-sh/stdout

Maybe you need to add more options to tools/testing/selftests/net/config

But stepping back - I think it may be time to move the crypto tunnel
tests based on netdevsim to
tools/testing/selftests/drivers/net/netdevsim ? rtnetlink is our main
netlink family, likely half of all our tests could be called a
"rtnetlink test".
-- 
pw-bot: cr

Re: [PATCH 2/2] selftests: rtnetlink: add ipsec packet offload test

[Jakub Kicinski]

On Mon, 4 Nov 2024 17:26:12 -0800 Jakub Kicinski wrote:
> On Mon,  4 Nov 2024 15:33:15 -0800 Feng Wang wrote:
> > From: wangfe <wangfe@google.com>
> > 
> > Duplicating kci_test_ipsec_offload to create a packet offload test.
> > Using the netdevsim as a device for testing ipsec packet mode.
> > Test the XFRM commands for setting up IPsec hardware packet offloads,
> > especially configuring the XFRM interface ID.  
> 
> CI appears to not be on board:
> 
> # 26.29 [+0.07] RTNETLINK answers: Operation not supported
> # 26.36 [+0.07] FAIL: ipsec_packet_offload can't create SA
> 
> https://netdev-3.bots.linux.dev/vmksft-net/results/846081/25-rtnetlink-sh/stdout
> 
> Maybe you need to add more options to tools/testing/selftests/net/config
> 
> But stepping back - I think it may be time to move the crypto tunnel
> tests based on netdevsim to
> tools/testing/selftests/drivers/net/netdevsim ? rtnetlink is our main
> netlink family, likely half of all our tests could be called a
> "rtnetlink test".

PS. this wiki tells you how the CI builds the kernel, so it is useful
for making sure the config options are chosen correctly:
https://github.com/linux-netdev/nipa/wiki/How-to-run-netdev-selftests-CI-style

Re: [PATCH 2/2] selftests: rtnetlink: add ipsec packet offload test

[Feng Wang]

Hi Jakub,

Thanks for your information, I am able to reproduce the test
environment and run the test.  The main reason for failure is that
this patch relies on the previous
patch(https://lore.kernel.org/all/20241112192249.341515-1-wangfe@google.com/),
 and it is not checked in yet.
And there is another routing issue that I will fix too, and I will
upstream it again when the previous patch is checked in.

Thanks again for your help.

Feng