* [PATCH net-next v3 00/15] bnxt_en: Add kTLS TX offload support
@ 2026-06-14 7:23 Michael Chan
2026-06-14 7:23 ` [PATCH net-next v3 01/15] bnxt_en: Add Midpath channel information Michael Chan
` (14 more replies)
0 siblings, 15 replies; 16+ messages in thread
From: Michael Chan @ 2026-06-14 7:23 UTC (permalink / raw)
To: davem
Cc: netdev, edumazet, kuba, pabeni, andrew+netdev, pavan.chebbi,
andrew.gospodarek
This patchset adds kTLS offload support for TX direction. A number
of new files are added:
bnxt_mpc.[ch] handle midpath channels (MPCs) used to offload kTLS
connections to the chip's crypto blocks without going through FW.
bnxt_crypto.[ch] handle the crypto interface and resources.
bnxt_ktls.[ch] handle kTLS offload.
A new CONFIG_BNXT_TLS is added to enable all of the above. The first 6
patches add the MPC logic including resource accounting and reservations.
The next 5 patches add the crypto logic to handle the crypto resources
and to send/receive control data using the MPCs. The last 4 patches
add kTLS offload for the TX direction.
There will be a follow-on patchset to make the TX offload more complete
and to add the RX direction offload.
v3:
Fix most AI reported issues from Jakub.
v2:
https://lore.kernel.org/netdev/20260512212105.3488258-1-michael.chan@broadcom.com/
Fix unused variable compile warnings in patch 10 and 12 by reorganizing
the patches (reported by Jakub)
Fix some error recovery issues in patch 12
v1:
https://lore.kernel.org/netdev/20260504235836.3019499-1-michael.chan@broadcom.com/
Michael Chan (15):
bnxt_en: Add Midpath channel information
bnxt_en: Account for the MPC TX and CP rings
bnxt_en: Set default MPC ring count
bnxt_en: Rename xdp_tx_lock to tx_lock
bnxt_en: Allocate and free MPC software structures
bnxt_en: Allocate and free MPC channels from firmware
bnxt_en: Allocate crypto structure and backing store
bnxt_en: Reserve crypto RX and TX key contexts on a PF
bnxt_en: Add infrastructure for crypto key context IDs
bnxt_en: Add MPC transmit and completion functions
bnxt_en: Add crypto MPC transmit/completion infrastructure
bnxt_en: Support kTLS TX offload by implementing .tls_dev_add/del()
bnxt_en: Implement kTLS TX normal path
bnxt_en: Add support for inline transmit BDs
bnxt_en: Add kTLS retransmission support
drivers/net/ethernet/broadcom/Kconfig | 9 +
drivers/net/ethernet/broadcom/bnxt/Makefile | 1 +
drivers/net/ethernet/broadcom/bnxt/bnxt.c | 255 ++++++-
drivers/net/ethernet/broadcom/bnxt/bnxt.h | 91 ++-
.../net/ethernet/broadcom/bnxt/bnxt_crypto.c | 614 +++++++++++++++
.../net/ethernet/broadcom/bnxt/bnxt_crypto.h | 226 ++++++
.../net/ethernet/broadcom/bnxt/bnxt_ethtool.c | 53 ++
drivers/net/ethernet/broadcom/bnxt/bnxt_gso.c | 2 +-
.../net/ethernet/broadcom/bnxt/bnxt_ktls.c | 572 ++++++++++++++
.../net/ethernet/broadcom/bnxt/bnxt_ktls.h | 175 +++++
drivers/net/ethernet/broadcom/bnxt/bnxt_mpc.c | 717 ++++++++++++++++++
drivers/net/ethernet/broadcom/bnxt/bnxt_mpc.h | 210 +++++
.../net/ethernet/broadcom/bnxt/bnxt_sriov.c | 6 +-
drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c | 4 +-
include/linux/bnxt/hsi.h | 37 +
15 files changed, 2918 insertions(+), 54 deletions(-)
create mode 100644 drivers/net/ethernet/broadcom/bnxt/bnxt_crypto.c
create mode 100644 drivers/net/ethernet/broadcom/bnxt/bnxt_crypto.h
create mode 100644 drivers/net/ethernet/broadcom/bnxt/bnxt_ktls.c
create mode 100644 drivers/net/ethernet/broadcom/bnxt/bnxt_ktls.h
create mode 100644 drivers/net/ethernet/broadcom/bnxt/bnxt_mpc.c
create mode 100644 drivers/net/ethernet/broadcom/bnxt/bnxt_mpc.h
--
2.51.0
^ permalink raw reply [flat|nested] 16+ messages in thread
* [PATCH net-next v3 01/15] bnxt_en: Add Midpath channel information
2026-06-14 7:23 [PATCH net-next v3 00/15] bnxt_en: Add kTLS TX offload support Michael Chan
@ 2026-06-14 7:23 ` Michael Chan
2026-06-14 7:23 ` [PATCH net-next v3 02/15] bnxt_en: Account for the MPC TX and CP rings Michael Chan
` (13 subsequent siblings)
14 siblings, 0 replies; 16+ messages in thread
From: Michael Chan @ 2026-06-14 7:23 UTC (permalink / raw)
To: davem
Cc: netdev, edumazet, kuba, pabeni, andrew+netdev, pavan.chebbi,
andrew.gospodarek, Ajit Khaparde, Kalesh AP
Midpath channels (MPCs) are rings for hardware control paths. These
control paths are used to offload kTLS directly to the hardware
without going through firmware. This patch adds the basic information
structures for these MPCs.
An MPC is basically a TX and completion ring pair with a HW TLS block
as the destination. Two MPC channel types are used to offload
connections to the TX crypto engine (TCE) and the RX crypto
engine (RCE) respectively. In the driver, we re-use the
bnxt_tx_ring_info and bnxt_cp_ring_info control structs for the MPCs.
This patch also adds the CONFIG_BNXT_TLS Kconfig option to conditionally
include the MPC logic. The first few patches in the series add the MPC
support. kTLS support will be added later in the series.
Reviewed-by: Ajit Khaparde <ajit.khaparde@broadcom.com>
Reviewed-by: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
Reviewed-by: Andy Gospodarek <andrew.gospodarek@broadcom.com>
Reviewed-by: Pavan Chebbi <pavan.chebbi@broadcom.com>
Signed-off-by: Michael Chan <michael.chan@broadcom.com>
---
drivers/net/ethernet/broadcom/Kconfig | 9 ++++
drivers/net/ethernet/broadcom/bnxt/Makefile | 1 +
drivers/net/ethernet/broadcom/bnxt/bnxt.c | 8 ++++
drivers/net/ethernet/broadcom/bnxt/bnxt.h | 2 +
drivers/net/ethernet/broadcom/bnxt/bnxt_mpc.c | 26 ++++++++++
drivers/net/ethernet/broadcom/bnxt/bnxt_mpc.h | 47 +++++++++++++++++++
6 files changed, 93 insertions(+)
create mode 100644 drivers/net/ethernet/broadcom/bnxt/bnxt_mpc.c
create mode 100644 drivers/net/ethernet/broadcom/bnxt/bnxt_mpc.h
diff --git a/drivers/net/ethernet/broadcom/Kconfig b/drivers/net/ethernet/broadcom/Kconfig
index 4287edc7ddd6..0114760c3ac4 100644
--- a/drivers/net/ethernet/broadcom/Kconfig
+++ b/drivers/net/ethernet/broadcom/Kconfig
@@ -254,6 +254,15 @@ config BNXT_HWMON
Say Y if you want to expose the thermal sensor data on NetXtreme-C/E
devices, via the hwmon sysfs interface.
+config BNXT_TLS
+ bool "Broadcom NetXtreme-C/E TLS offload support"
+ default y
+ depends on BNXT && TLS_DEVICE
+ depends on TLS=y || BNXT=m
+ help
+ Say Y if you want to enable Transport Layer Security (TLS) hardware
+ encryption and decryption offload on supported NetXtreme-C/E devices.
+
config BNGE
tristate "Broadcom ThorUltra Ethernet device support"
depends on PCI
diff --git a/drivers/net/ethernet/broadcom/bnxt/Makefile b/drivers/net/ethernet/broadcom/bnxt/Makefile
index debef78c8b6d..0506574c007a 100644
--- a/drivers/net/ethernet/broadcom/bnxt/Makefile
+++ b/drivers/net/ethernet/broadcom/bnxt/Makefile
@@ -5,3 +5,4 @@ bnxt_en-y := bnxt.o bnxt_hwrm.o bnxt_sriov.o bnxt_ethtool.o bnxt_dcb.o bnxt_ulp.
bnxt_en-$(CONFIG_BNXT_FLOWER_OFFLOAD) += bnxt_tc.o
bnxt_en-$(CONFIG_DEBUG_FS) += bnxt_debugfs.o
bnxt_en-$(CONFIG_BNXT_HWMON) += bnxt_hwmon.o
+bnxt_en-$(CONFIG_BNXT_TLS) += bnxt_mpc.o
diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
index 1eb214e4b511..f06c6978dd71 100644
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
@@ -76,6 +76,7 @@
#include "bnxt_hwmon.h"
#include "bnxt_gso.h"
#include <net/tso.h>
+#include "bnxt_mpc.h"
#define BNXT_TX_TIMEOUT (5 * HZ)
#define BNXT_DEF_MSG_ENABLE (NETIF_MSG_DRV | NETIF_MSG_HW | \
@@ -9937,6 +9938,11 @@ static int __bnxt_hwrm_func_qcaps(struct bnxt *bp)
}
bp->tso_max_segs = le16_to_cpu(resp->max_tso_segs);
+ if (resp->mpc_chnls_cap)
+ bnxt_alloc_mpc_info(bp, resp->mpc_chnls_cap);
+ else
+ bnxt_free_mpc_info(bp);
+
hwrm_func_qcaps_exit:
hwrm_req_drop(bp, req);
return rc;
@@ -16495,6 +16501,7 @@ static void bnxt_remove_one(struct pci_dev *pdev)
bp->ptp_cfg = NULL;
kfree(bp->fw_health);
bp->fw_health = NULL;
+ bnxt_free_mpc_info(bp);
bnxt_cleanup_pci(bp);
bnxt_free_ctx_mem(bp, true);
bnxt_free_crash_dump_mem(bp);
@@ -17166,6 +17173,7 @@ static int bnxt_init_one(struct pci_dev *pdev, const struct pci_device_id *ent)
bnxt_ethtool_free(bp);
kfree(bp->fw_health);
bp->fw_health = NULL;
+ bnxt_free_mpc_info(bp);
bnxt_cleanup_pci(bp);
bnxt_free_ctx_mem(bp, true);
bnxt_free_crash_dump_mem(bp);
diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.h b/drivers/net/ethernet/broadcom/bnxt/bnxt.h
index 29ff5a584d16..f8bfe1a57af0 100644
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.h
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.h
@@ -2451,6 +2451,8 @@ struct bnxt {
u8 tph_mode;
+ struct bnxt_mpc_info *mpc_info;
+
unsigned int current_interval;
#define BNXT_TIMER_INTERVAL HZ
diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_mpc.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_mpc.c
new file mode 100644
index 000000000000..86087e538550
--- /dev/null
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_mpc.c
@@ -0,0 +1,26 @@
+// SPDX-License-Identifier: GPL-2.0-only
+/* Copyright (c) 2026 Broadcom Inc. */
+
+#include <linux/stddef.h>
+#include <linux/types.h>
+#include <linux/slab.h>
+#include <linux/bnxt/hsi.h>
+
+#include "bnxt.h"
+#include "bnxt_mpc.h"
+
+void bnxt_alloc_mpc_info(struct bnxt *bp, u8 mpc_chnls_cap)
+{
+ if (!bp->mpc_info)
+ bp->mpc_info = kzalloc_obj(*bp->mpc_info);
+ if (bp->mpc_info)
+ bp->mpc_info->mpc_chnls_cap = mpc_chnls_cap;
+ else
+ netdev_warn(bp->dev, "Unable to allocate MPC info\n");
+}
+
+void bnxt_free_mpc_info(struct bnxt *bp)
+{
+ kfree(bp->mpc_info);
+ bp->mpc_info = NULL;
+}
diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_mpc.h b/drivers/net/ethernet/broadcom/bnxt/bnxt_mpc.h
new file mode 100644
index 000000000000..cd3f268a3a29
--- /dev/null
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_mpc.h
@@ -0,0 +1,47 @@
+/* SPDX-License-Identifier: GPL-2.0-only */
+/* Copyright (c) 2026 Broadcom Inc. */
+
+#ifndef BNXT_MPC_H
+#define BNXT_MPC_H
+
+/* Mid path channel (MPC) definitions. An MPC is special TX/completion
+ * ring pair to send/receive control plane data to the TCE and RCE
+ * (Transmit/Receive Crypto Engine) HW blocks.
+ */
+
+enum bnxt_mpc_type {
+ BNXT_MPC_TCE_TYPE = RING_ALLOC_REQ_MPC_CHNLS_TYPE_TCE,
+ BNXT_MPC_RCE_TYPE = RING_ALLOC_REQ_MPC_CHNLS_TYPE_RCE,
+ BNXT_MPC_TYPE_MAX,
+};
+
+#define BNXT_MAX_MPC 8
+
+struct bnxt_mpc_info {
+ u8 mpc_chnls_cap;
+ u8 mpc_cp_rings;
+ u8 mpc_ring_count[BNXT_MPC_TYPE_MAX];
+ struct bnxt_tx_ring_info *mpc_rings[BNXT_MPC_TYPE_MAX];
+};
+
+#define BNXT_MPC_CRYPTO_CAP \
+ (FUNC_QCAPS_RESP_MPC_CHNLS_CAP_TCE | FUNC_QCAPS_RESP_MPC_CHNLS_CAP_RCE)
+
+#define BNXT_MPC_CRYPTO_CAPABLE(bp) \
+ ((bp)->mpc_info ? \
+ ((bp)->mpc_info->mpc_chnls_cap & BNXT_MPC_CRYPTO_CAP) == \
+ BNXT_MPC_CRYPTO_CAP : false)
+
+#ifdef CONFIG_BNXT_TLS
+void bnxt_alloc_mpc_info(struct bnxt *bp, u8 mpc_chnls_cap);
+void bnxt_free_mpc_info(struct bnxt *bp);
+#else
+static inline void bnxt_alloc_mpc_info(struct bnxt *bp, u8 mpc_chnls_cap)
+{
+}
+
+static inline void bnxt_free_mpc_info(struct bnxt *bp)
+{
+}
+#endif /* CONFIG_BNXT_TLS */
+#endif /* BNXT_MPC_H */
--
2.51.0
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [PATCH net-next v3 02/15] bnxt_en: Account for the MPC TX and CP rings
2026-06-14 7:23 [PATCH net-next v3 00/15] bnxt_en: Add kTLS TX offload support Michael Chan
2026-06-14 7:23 ` [PATCH net-next v3 01/15] bnxt_en: Add Midpath channel information Michael Chan
@ 2026-06-14 7:23 ` Michael Chan
2026-06-14 7:23 ` [PATCH net-next v3 03/15] bnxt_en: Set default MPC ring count Michael Chan
` (12 subsequent siblings)
14 siblings, 0 replies; 16+ messages in thread
From: Michael Chan @ 2026-06-14 7:23 UTC (permalink / raw)
To: davem
Cc: netdev, edumazet, kuba, pabeni, andrew+netdev, pavan.chebbi,
andrew.gospodarek, Ajit Khaparde, Kalesh AP
Modify bnxt_cp_rings_in_use(), bnxt_get_max_func_cp_rings_for_en(),
and _bnxt_get_max_rings() to account for any TX rings and CP rings
used by MPCs. Add a new helper bnxt_total_tx_rings() to include
MPC TX rings. Ring reservations will now include the MPC rings.
Reviewed-by: Ajit Khaparde <ajit.khaparde@broadcom.com>
Reviewed-by: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
Reviewed-by: Andy Gospodarek <andrew.gospodarek@broadcom.com>
Reviewed-by: Pavan Chebbi <pavan.chebbi@broadcom.com>
Signed-off-by: Michael Chan <michael.chan@broadcom.com>
---
drivers/net/ethernet/broadcom/bnxt/bnxt.c | 45 ++++++++++++++-----
drivers/net/ethernet/broadcom/bnxt/bnxt.h | 1 +
drivers/net/ethernet/broadcom/bnxt/bnxt_mpc.c | 21 +++++++++
drivers/net/ethernet/broadcom/bnxt/bnxt_mpc.h | 12 +++++
.../net/ethernet/broadcom/bnxt/bnxt_sriov.c | 6 +--
5 files changed, 71 insertions(+), 14 deletions(-)
diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
index f06c6978dd71..2ee7928ec50d 100644
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
@@ -7746,6 +7746,11 @@ static void bnxt_hwrm_ring_free(struct bnxt *bp, bool close_path)
}
}
+int bnxt_total_tx_rings(struct bnxt *bp)
+{
+ return bp->tx_nr_rings + bnxt_mpc_tx_rings_in_use(bp);
+}
+
static int __bnxt_trim_rings(struct bnxt *bp, int *rx, int *tx, int max,
bool shared);
static int bnxt_trim_rings(struct bnxt *bp, int *rx, int *tx, int max,
@@ -7786,19 +7791,28 @@ static int bnxt_hwrm_get_rings(struct bnxt *bp)
stats = le16_to_cpu(resp->alloc_stat_ctx);
hw_resc->resv_irqs = cp;
if (bp->flags & BNXT_FLAG_CHIP_P5_PLUS) {
+ int mpc_tx = bnxt_mpc_tx_rings_in_use(bp);
+ int mpc_cp = bnxt_mpc_cp_rings_in_use(bp);
int rx = hw_resc->resv_rx_rings;
int tx = hw_resc->resv_tx_rings;
+ int cp_p5;
+ if (tx <= mpc_tx || cp <= mpc_cp) {
+ rc = -ENOMEM;
+ goto get_rings_exit;
+ }
+ tx -= mpc_tx;
+ cp_p5 = cp - mpc_cp;
if (bp->flags & BNXT_FLAG_AGG_RINGS)
rx >>= 1;
- if (cp < (rx + tx)) {
- rc = __bnxt_trim_rings(bp, &rx, &tx, cp, false);
+ if (cp_p5 < (rx + tx)) {
+ rc = __bnxt_trim_rings(bp, &rx, &tx, cp_p5, false);
if (rc)
goto get_rings_exit;
if (bp->flags & BNXT_FLAG_AGG_RINGS)
rx <<= 1;
hw_resc->resv_rx_rings = rx;
- hw_resc->resv_tx_rings = tx;
+ hw_resc->resv_tx_rings = tx + mpc_tx;
}
hw_resc->resv_irqs = le16_to_cpu(resp->alloc_msix);
hw_resc->resv_hw_ring_grps = rx;
@@ -7990,7 +8004,7 @@ static int bnxt_cp_rings_in_use(struct bnxt *bp)
return bnxt_nq_rings_in_use(bp);
cp = bp->tx_nr_rings + bp->rx_nr_rings;
- return cp;
+ return cp + bnxt_mpc_cp_rings_in_use(bp);
}
static int bnxt_get_func_stat_ctxs(struct bnxt *bp)
@@ -8048,7 +8062,7 @@ static void bnxt_get_total_resources(struct bnxt *bp, struct bnxt_hw_rings *hwr)
hwr->cp_p5 = 0;
if (bp->flags & BNXT_FLAG_CHIP_P5_PLUS)
hwr->cp_p5 = bnxt_cp_rings_in_use(bp);
- hwr->tx = bp->tx_nr_rings;
+ hwr->tx = bnxt_total_tx_rings(bp);
hwr->rx = bp->rx_nr_rings;
hwr->grp = hwr->rx;
hwr->vnic = bnxt_get_total_vnics(bp, hwr->rx);
@@ -8154,8 +8168,10 @@ static int __bnxt_reserve_rings(struct bnxt *bp)
hwr.rx = bp->rx_nr_rings;
if (bp->flags & BNXT_FLAG_SHARED_RINGS)
sh = true;
- if (bp->flags & BNXT_FLAG_CHIP_P5_PLUS)
- hwr.cp_p5 = hwr.rx + hwr.tx;
+ if (bp->flags & BNXT_FLAG_CHIP_P5_PLUS) {
+ hwr.cp_p5 = hwr.rx + hwr.tx + bnxt_mpc_cp_rings_in_use(bp);
+ hwr.tx += bnxt_mpc_tx_rings_in_use(bp);
+ }
hwr.vnic = bnxt_get_total_vnics(bp, hwr.rx);
@@ -8192,6 +8208,9 @@ static int __bnxt_reserve_rings(struct bnxt *bp)
if (bnxt_ulp_registered(edev) && hwr.stat > bnxt_get_ulp_stat_ctxs(bp))
hwr.stat -= bnxt_get_ulp_stat_ctxs(bp);
hwr.cp = min_t(int, hwr.cp, hwr.stat);
+ hwr.tx -= bnxt_mpc_tx_rings_in_use(bp);
+ if (hwr.tx < 0)
+ return -ENOMEM;
rc = bnxt_trim_rings(bp, &rx_rings, &hwr.tx, hwr.cp, sh);
if (bp->flags & BNXT_FLAG_AGG_RINGS)
hwr.rx = rx_rings << 1;
@@ -11472,12 +11491,13 @@ unsigned int bnxt_get_max_func_cp_rings(struct bnxt *bp)
static unsigned int bnxt_get_max_func_cp_rings_for_en(struct bnxt *bp)
{
+ unsigned int mpc_cp = (unsigned int)bnxt_mpc_cp_rings_in_use(bp);
unsigned int cp = bp->hw_resc.max_cp_rings;
if (!(bp->flags & BNXT_FLAG_CHIP_P5_PLUS))
cp -= bnxt_get_ulp_msix_num(bp);
- return cp;
+ return mpc_cp >= cp ? 0 : cp - mpc_cp;
}
static unsigned int bnxt_get_max_func_irqs(struct bnxt *bp)
@@ -14875,8 +14895,10 @@ int bnxt_check_rings(struct bnxt *bp, int tx, int rx, bool sh, int tcs,
hwr.grp = rx;
hwr.rss_ctx = bnxt_get_total_rss_ctxs(bp, &hwr);
}
- if (bp->flags & BNXT_FLAG_CHIP_P5_PLUS)
- hwr.cp_p5 = hwr.tx + rx;
+ if (bp->flags & BNXT_FLAG_CHIP_P5_PLUS) {
+ hwr.cp_p5 = hwr.tx + rx + bnxt_mpc_cp_rings_in_use(bp);
+ hwr.tx += bnxt_mpc_tx_rings_in_use(bp);
+ }
rc = bnxt_hwrm_check_rings(bp, &hwr);
if (!rc && pci_msix_can_alloc_dyn(bp->pdev)) {
if (!bnxt_ulp_registered(bp->edev[BNXT_AUXDEV_RDMA])) {
@@ -16571,7 +16593,8 @@ static void _bnxt_get_max_rings(struct bnxt *bp, int *max_rx, int *max_tx,
struct bnxt_hw_resc *hw_resc = &bp->hw_resc;
int max_ring_grps = 0, max_irq;
- *max_tx = hw_resc->max_tx_rings;
+ *max_tx = max(0, (int)hw_resc->max_tx_rings -
+ bnxt_mpc_tx_rings_in_use(bp));
*max_rx = hw_resc->max_rx_rings;
*max_cp = bnxt_get_max_func_cp_rings_for_en(bp);
max_irq = min_t(int, bnxt_get_max_func_irqs(bp) -
diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.h b/drivers/net/ethernet/broadcom/bnxt/bnxt.h
index f8bfe1a57af0..b1ef88f015d5 100644
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.h
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.h
@@ -2987,6 +2987,7 @@ int bnxt_hwrm_vnic_cfg(struct bnxt *bp, struct bnxt_vnic_info *vnic);
int bnxt_hwrm_vnic_alloc(struct bnxt *bp, struct bnxt_vnic_info *vnic,
unsigned int start_rx_ring_idx,
unsigned int nr_rings);
+int bnxt_total_tx_rings(struct bnxt *bp);
int __bnxt_hwrm_get_tx_rings(struct bnxt *bp, u16 fid, int *tx_rings);
int bnxt_nq_rings_in_use(struct bnxt *bp);
int bnxt_hwrm_set_coal(struct bnxt *);
diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_mpc.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_mpc.c
index 86087e538550..9859a5f86268 100644
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_mpc.c
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_mpc.c
@@ -24,3 +24,24 @@ void bnxt_free_mpc_info(struct bnxt *bp)
kfree(bp->mpc_info);
bp->mpc_info = NULL;
}
+
+int bnxt_mpc_tx_rings_in_use(struct bnxt *bp)
+{
+ struct bnxt_mpc_info *mpc = bp->mpc_info;
+ int i, mpc_tx = 0;
+
+ if (!mpc)
+ return 0;
+ for (i = 0; i < BNXT_MPC_TYPE_MAX; i++)
+ mpc_tx += mpc->mpc_ring_count[i];
+ return mpc_tx;
+}
+
+int bnxt_mpc_cp_rings_in_use(struct bnxt *bp)
+{
+ struct bnxt_mpc_info *mpc = bp->mpc_info;
+
+ if (!mpc)
+ return 0;
+ return mpc->mpc_cp_rings;
+}
diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_mpc.h b/drivers/net/ethernet/broadcom/bnxt/bnxt_mpc.h
index cd3f268a3a29..7a7d81197ea6 100644
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_mpc.h
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_mpc.h
@@ -35,6 +35,8 @@ struct bnxt_mpc_info {
#ifdef CONFIG_BNXT_TLS
void bnxt_alloc_mpc_info(struct bnxt *bp, u8 mpc_chnls_cap);
void bnxt_free_mpc_info(struct bnxt *bp);
+int bnxt_mpc_tx_rings_in_use(struct bnxt *bp);
+int bnxt_mpc_cp_rings_in_use(struct bnxt *bp);
#else
static inline void bnxt_alloc_mpc_info(struct bnxt *bp, u8 mpc_chnls_cap)
{
@@ -43,5 +45,15 @@ static inline void bnxt_alloc_mpc_info(struct bnxt *bp, u8 mpc_chnls_cap)
static inline void bnxt_free_mpc_info(struct bnxt *bp)
{
}
+
+static inline int bnxt_mpc_tx_rings_in_use(struct bnxt *bp)
+{
+ return 0;
+}
+
+static inline int bnxt_mpc_cp_rings_in_use(struct bnxt *bp)
+{
+ return 0;
+}
#endif /* CONFIG_BNXT_TLS */
#endif /* BNXT_MPC_H */
diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c
index edcc002e4ca3..d57059722f5b 100644
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c
@@ -640,7 +640,7 @@ static int bnxt_hwrm_func_vf_resc_cfg(struct bnxt *bp, int num_vfs, bool reset)
vf_rx_rings = hw_resc->max_rx_rings - bp->rx_nr_rings * 2;
else
vf_rx_rings = hw_resc->max_rx_rings - bp->rx_nr_rings;
- vf_tx_rings = hw_resc->max_tx_rings - bp->tx_nr_rings;
+ vf_tx_rings = hw_resc->max_tx_rings - bnxt_total_tx_rings(bp);
vf_vnics = hw_resc->max_vnics - bp->nr_vnics;
vf_rss = hw_resc->max_rsscos_ctxs - bp->rsscos_nr_ctxs;
@@ -903,8 +903,8 @@ static int bnxt_sriov_enable(struct bnxt *bp, int *num_vfs)
avail_cp < min_rx_rings)
rx_ok = 0;
- if (hw_resc->max_tx_rings - bp->tx_nr_rings >= min_tx_rings &&
- avail_cp >= min_tx_rings)
+ if (hw_resc->max_tx_rings - bnxt_total_tx_rings(bp) >=
+ min_tx_rings && avail_cp >= min_tx_rings)
tx_ok = 1;
if (hw_resc->max_rsscos_ctxs - bp->rsscos_nr_ctxs >=
--
2.51.0
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [PATCH net-next v3 03/15] bnxt_en: Set default MPC ring count
2026-06-14 7:23 [PATCH net-next v3 00/15] bnxt_en: Add kTLS TX offload support Michael Chan
2026-06-14 7:23 ` [PATCH net-next v3 01/15] bnxt_en: Add Midpath channel information Michael Chan
2026-06-14 7:23 ` [PATCH net-next v3 02/15] bnxt_en: Account for the MPC TX and CP rings Michael Chan
@ 2026-06-14 7:23 ` Michael Chan
2026-06-14 7:23 ` [PATCH net-next v3 04/15] bnxt_en: Rename xdp_tx_lock to tx_lock Michael Chan
` (11 subsequent siblings)
14 siblings, 0 replies; 16+ messages in thread
From: Michael Chan @ 2026-06-14 7:23 UTC (permalink / raw)
To: davem
Cc: netdev, edumazet, kuba, pabeni, andrew+netdev, pavan.chebbi,
andrew.gospodarek, Ajit Khaparde
If the firmware supports MPC channels and CONFIG_BNXT_TLS is set, set
the default number of MPC channels. These MPC rings will share MSIX
with the TX rings. The number of MPC channels for each type must not
exceed the ethtool TX channel count. bnxt_set_dflt_mpc_rings() will
determine the count for each MPC channel type and it cannot be directly
controlled by the user.
We also add bnxt_trim_mpc_rings() to make final adjustments in case
the number of reserved TX channels is less than expected.
Reviewed-by: Ajit Khaparde <ajit.khaparde@broadcom.com>
Reviewed-by: Andy Gospodarek <andrew.gospodarek@broadcom.com>
Reviewed-by: Pavan Chebbi <pavan.chebbi@broadcom.com>
Signed-off-by: Michael Chan <michael.chan@broadcom.com>
---
v3:
Use proper int type for min_t().
v2:
https://lore.kernel.org/netdev/20260512212105.3488258-4-michael.chan@broadcom.com/
---
drivers/net/ethernet/broadcom/bnxt/bnxt.c | 7 +++
.../net/ethernet/broadcom/bnxt/bnxt_ethtool.c | 3 +
drivers/net/ethernet/broadcom/bnxt/bnxt_mpc.c | 63 +++++++++++++++++++
drivers/net/ethernet/broadcom/bnxt/bnxt_mpc.h | 15 +++++
4 files changed, 88 insertions(+)
diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
index 2ee7928ec50d..3e84a92d963d 100644
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
@@ -13151,6 +13151,7 @@ static int __bnxt_open_nic(struct bnxt *bp, bool irq_re_init, bool link_re_init)
return rc;
bnxt_adj_tx_rings(bp);
+ bnxt_trim_mpc_rings(bp);
rc = bnxt_alloc_mem(bp, irq_re_init);
if (rc) {
netdev_err(bp->dev, "bnxt_alloc_mem err: %x\n", rc);
@@ -16691,6 +16692,7 @@ static void bnxt_trim_dflt_sh_rings(struct bnxt *bp)
bp->rx_nr_rings = bp->cp_nr_rings;
bp->tx_nr_rings_per_tc = bp->cp_nr_rings;
bp->tx_nr_rings = bnxt_tx_nr_rings(bp);
+ bnxt_trim_mpc_rings(bp);
}
static void bnxt_adj_dflt_rings(struct bnxt *bp, bool sh)
@@ -16742,6 +16744,8 @@ static int bnxt_set_dflt_rings(struct bnxt *bp, bool sh)
bnxt_set_dflt_ulp_stat_ctxs(bp);
}
+ bnxt_set_dflt_mpc_rings(bp);
+
rc = __bnxt_reserve_rings(bp);
if (rc && rc != -ENODEV)
netdev_warn(bp->dev, "Unable to reserve tx rings\n");
@@ -16756,6 +16760,7 @@ static int bnxt_set_dflt_rings(struct bnxt *bp, bool sh)
if (rc && rc != -ENODEV)
netdev_warn(bp->dev, "2nd rings reservation failed.\n");
bnxt_adj_tx_rings(bp);
+ bnxt_trim_mpc_rings(bp);
}
if (BNXT_CHIP_TYPE_NITRO_A0(bp)) {
bp->rx_nr_rings++;
@@ -16790,6 +16795,7 @@ static int bnxt_init_dflt_ring_mode(struct bnxt *bp)
goto init_dflt_ring_err;
bnxt_adj_tx_rings(bp);
+ bnxt_trim_mpc_rings(bp);
bnxt_set_dflt_rfs(bp);
@@ -17133,6 +17139,7 @@ static int bnxt_init_one(struct pci_dev *pdev, const struct pci_device_id *ent)
* limited MSIX, so we re-initialize the TX rings per TC.
*/
bp->tx_nr_rings_per_tc = bp->tx_nr_rings;
+ bnxt_trim_mpc_rings(bp);
if (BNXT_PF(bp)) {
if (!bnxt_pf_wq) {
diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c
index 56d74a3c24b7..c60c04c34fad 100644
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c
@@ -37,6 +37,7 @@
#include "bnxt_nvm_defs.h" /* NVRAM content constant and structure defs */
#include "bnxt_fw_hdr.h" /* Firmware hdr constant and structure defs */
#include "bnxt_coredump.h"
+#include "bnxt_mpc.h"
#define BNXT_NVM_ERR_MSG(dev, extack, msg) \
do { \
@@ -1050,6 +1051,8 @@ static int bnxt_set_channels(struct net_device *dev,
bnxt_set_cp_rings(bp, sh);
+ bnxt_set_dflt_mpc_rings(bp);
+
/* After changing number of rx channels, update NTUPLE feature. */
netdev_update_features(dev);
if (netif_running(dev)) {
diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_mpc.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_mpc.c
index 9859a5f86268..183f1a3726c7 100644
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_mpc.c
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_mpc.c
@@ -3,6 +3,7 @@
#include <linux/stddef.h>
#include <linux/types.h>
+#include <linux/kernel.h>
#include <linux/slab.h>
#include <linux/bnxt/hsi.h>
@@ -45,3 +46,65 @@ int bnxt_mpc_cp_rings_in_use(struct bnxt *bp)
return 0;
return mpc->mpc_cp_rings;
}
+
+void bnxt_trim_mpc_rings(struct bnxt *bp)
+{
+ struct bnxt_mpc_info *mpc = bp->mpc_info;
+ int max = bp->tx_nr_rings_per_tc;
+ u8 max_cp = 0;
+ int i;
+
+ if (!mpc)
+ return;
+
+ for (i = 0; i < BNXT_MPC_TYPE_MAX; i++) {
+ mpc->mpc_ring_count[i] = min_t(int, mpc->mpc_ring_count[i],
+ max);
+ max_cp = max(max_cp, mpc->mpc_ring_count[i]);
+ }
+ mpc->mpc_cp_rings = max_cp;
+}
+
+void bnxt_set_dflt_mpc_rings(struct bnxt *bp)
+{
+ struct bnxt_hw_resc *hw_resc = &bp->hw_resc;
+ struct bnxt_mpc_info *mpc = bp->mpc_info;
+ int mpc_tce, mpc_rce, avail, mpc_cp, i;
+
+ if (!BNXT_MPC_CRYPTO_CAPABLE(bp))
+ return;
+
+ avail = hw_resc->max_tx_rings - bp->tx_nr_rings;
+ /* don't use more than 80% */
+ avail = avail * 4 / 5;
+
+ if (avail < (BNXT_MIN_MPC_TCE + BNXT_MIN_MPC_RCE))
+ goto disable_mpc;
+
+ mpc_tce = min_t(int, avail / 2, bp->tx_nr_rings_per_tc);
+ mpc_rce = mpc_tce;
+
+ mpc_tce = min_t(int, mpc_tce, BNXT_DFLT_MPC_TCE);
+ mpc_rce = min_t(int, mpc_rce, BNXT_DFLT_MPC_RCE);
+
+ avail = hw_resc->max_cp_rings - bp->tx_nr_rings -
+ bp->rx_nr_rings;
+
+ if (avail < BNXT_MIN_MPC_TCE || avail < BNXT_MIN_MPC_RCE)
+ goto disable_mpc;
+
+ mpc_tce = min(mpc_tce, avail);
+ mpc_rce = min(mpc_rce, avail);
+
+ mpc_cp = max(mpc_tce, mpc_rce);
+
+ mpc->mpc_ring_count[BNXT_MPC_TCE_TYPE] = mpc_tce;
+ mpc->mpc_ring_count[BNXT_MPC_RCE_TYPE] = mpc_rce;
+ mpc->mpc_cp_rings = mpc_cp;
+ return;
+
+disable_mpc:
+ mpc->mpc_cp_rings = 0;
+ for (i = 0; i < BNXT_MPC_TYPE_MAX; i++)
+ mpc->mpc_ring_count[i] = 0;
+}
diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_mpc.h b/drivers/net/ethernet/broadcom/bnxt/bnxt_mpc.h
index 7a7d81197ea6..4ff8cad75a23 100644
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_mpc.h
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_mpc.h
@@ -17,6 +17,11 @@ enum bnxt_mpc_type {
#define BNXT_MAX_MPC 8
+#define BNXT_MIN_MPC_TCE 1
+#define BNXT_MIN_MPC_RCE 1
+#define BNXT_DFLT_MPC_TCE BNXT_MAX_MPC
+#define BNXT_DFLT_MPC_RCE BNXT_MAX_MPC
+
struct bnxt_mpc_info {
u8 mpc_chnls_cap;
u8 mpc_cp_rings;
@@ -37,6 +42,8 @@ void bnxt_alloc_mpc_info(struct bnxt *bp, u8 mpc_chnls_cap);
void bnxt_free_mpc_info(struct bnxt *bp);
int bnxt_mpc_tx_rings_in_use(struct bnxt *bp);
int bnxt_mpc_cp_rings_in_use(struct bnxt *bp);
+void bnxt_trim_mpc_rings(struct bnxt *bp);
+void bnxt_set_dflt_mpc_rings(struct bnxt *bp);
#else
static inline void bnxt_alloc_mpc_info(struct bnxt *bp, u8 mpc_chnls_cap)
{
@@ -55,5 +62,13 @@ static inline int bnxt_mpc_cp_rings_in_use(struct bnxt *bp)
{
return 0;
}
+
+static inline void bnxt_trim_mpc_rings(struct bnxt *bp)
+{
+}
+
+static inline void bnxt_set_dflt_mpc_rings(struct bnxt *bp)
+{
+}
#endif /* CONFIG_BNXT_TLS */
#endif /* BNXT_MPC_H */
--
2.51.0
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [PATCH net-next v3 04/15] bnxt_en: Rename xdp_tx_lock to tx_lock
2026-06-14 7:23 [PATCH net-next v3 00/15] bnxt_en: Add kTLS TX offload support Michael Chan
` (2 preceding siblings ...)
2026-06-14 7:23 ` [PATCH net-next v3 03/15] bnxt_en: Set default MPC ring count Michael Chan
@ 2026-06-14 7:23 ` Michael Chan
2026-06-14 7:23 ` [PATCH net-next v3 05/15] bnxt_en: Allocate and free MPC software structures Michael Chan
` (10 subsequent siblings)
14 siblings, 0 replies; 16+ messages in thread
From: Michael Chan @ 2026-06-14 7:23 UTC (permalink / raw)
To: davem
Cc: netdev, edumazet, kuba, pabeni, andrew+netdev, pavan.chebbi,
andrew.gospodarek, Kalesh AP
xdp_tx_lock in struct bnxt_tx_ring_info is used to serialize
XDP_REDIRECT on the same TX ring. MPCs will also need this lock
for a similar purpose to serialize sending multiple messages on
the same MPC, so rename it to tx_lock.
Reviewed-by: Andy Gospodarek <andrew.gospodarek@broadcom.com>
Reviewed-by: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
Reviewed-by: Pavan Chebbi <pavan.chebbi@broadcom.com>
Signed-off-by: Michael Chan <michael.chan@broadcom.com>
---
drivers/net/ethernet/broadcom/bnxt/bnxt.c | 2 +-
drivers/net/ethernet/broadcom/bnxt/bnxt.h | 4 ++--
drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c | 4 ++--
3 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
index 3e84a92d963d..5252ca1760ee 100644
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
@@ -4148,7 +4148,7 @@ static int bnxt_alloc_tx_rings(struct bnxt *bp)
}
qidx = bp->tc_to_qidx[j];
ring->queue_id = bp->q_info[qidx].queue_id;
- spin_lock_init(&txr->xdp_tx_lock);
+ spin_lock_init(&txr->tx_lock);
if (i < bp->tx_nr_rings_xdp)
continue;
if (BNXT_RING_TO_TC_OFF(bp, i) == (bp->tx_nr_rings_per_tc - 1))
diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.h b/drivers/net/ethernet/broadcom/bnxt/bnxt.h
index b1ef88f015d5..ce86012a9ba7 100644
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.h
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.h
@@ -1013,8 +1013,8 @@ struct bnxt_tx_ring_info {
u32 dev_state;
struct bnxt_ring_struct tx_ring_struct;
- /* Synchronize simultaneous xdp_xmit on same ring */
- spinlock_t xdp_tx_lock;
+ /* Synchronize simultaneous xdp_xmit on same ring or for MPC ring */
+ spinlock_t tx_lock;
};
#define BNXT_LEGACY_COAL_CMPL_PARAMS \
diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c
index 9e5009be8e98..2a94a77847fe 100644
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c
@@ -351,7 +351,7 @@ int bnxt_xdp_xmit(struct net_device *dev, int num_frames,
return -EINVAL;
if (static_branch_unlikely(&bnxt_xdp_locking_key))
- spin_lock(&txr->xdp_tx_lock);
+ spin_lock(&txr->tx_lock);
for (i = 0; i < num_frames; i++) {
struct xdp_frame *xdp = frames[i];
@@ -376,7 +376,7 @@ int bnxt_xdp_xmit(struct net_device *dev, int num_frames,
}
if (static_branch_unlikely(&bnxt_xdp_locking_key))
- spin_unlock(&txr->xdp_tx_lock);
+ spin_unlock(&txr->tx_lock);
return nxmit;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [PATCH net-next v3 05/15] bnxt_en: Allocate and free MPC software structures
2026-06-14 7:23 [PATCH net-next v3 00/15] bnxt_en: Add kTLS TX offload support Michael Chan
` (3 preceding siblings ...)
2026-06-14 7:23 ` [PATCH net-next v3 04/15] bnxt_en: Rename xdp_tx_lock to tx_lock Michael Chan
@ 2026-06-14 7:23 ` Michael Chan
2026-06-14 7:23 ` [PATCH net-next v3 06/15] bnxt_en: Allocate and free MPC channels from firmware Michael Chan
` (9 subsequent siblings)
14 siblings, 0 replies; 16+ messages in thread
From: Michael Chan @ 2026-06-14 7:23 UTC (permalink / raw)
To: davem
Cc: netdev, edumazet, kuba, pabeni, andrew+netdev, pavan.chebbi,
andrew.gospodarek, Ajit Khaparde
Each MPC consists of a special TX ring and a completion ring. Use
existing structs bnxt_tx_ring_info and bnxt_cp_ring_info as control
structures. The 2 MPC channels to TCE and RCE that share the MSIX
will use a shared completion ring.
Reviewed-by: Ajit Khaparde <ajit.khaparde@broadcom.com>
Reviewed-by: Pavan Chebbi <pavan.chebbi@broadcom.com>
Signed-off-by: Michael Chan <michael.chan@broadcom.com>
---
drivers/net/ethernet/broadcom/bnxt/bnxt.c | 35 ++-
drivers/net/ethernet/broadcom/bnxt/bnxt.h | 12 +-
drivers/net/ethernet/broadcom/bnxt/bnxt_mpc.c | 205 ++++++++++++++++++
drivers/net/ethernet/broadcom/bnxt/bnxt_mpc.h | 46 ++++
4 files changed, 291 insertions(+), 7 deletions(-)
diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
index 5252ca1760ee..ffedb9ee0454 100644
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
@@ -3679,7 +3679,7 @@ static size_t __bnxt_copy_ring(struct bnxt *bp, struct bnxt_ring_mem_info *rmem,
return total_len;
}
-static void bnxt_free_ring(struct bnxt *bp, struct bnxt_ring_mem_info *rmem)
+void bnxt_free_ring(struct bnxt *bp, struct bnxt_ring_mem_info *rmem)
{
struct pci_dev *pdev = bp->pdev;
int i;
@@ -3712,7 +3712,7 @@ static void bnxt_free_ring(struct bnxt *bp, struct bnxt_ring_mem_info *rmem)
}
}
-static int bnxt_alloc_ring(struct bnxt *bp, struct bnxt_ring_mem_info *rmem)
+int bnxt_alloc_ring(struct bnxt *bp, struct bnxt_ring_mem_info *rmem)
{
struct pci_dev *pdev = bp->pdev;
u64 valid_bit = 0;
@@ -4319,6 +4319,8 @@ static int bnxt_alloc_cp_rings(struct bnxt *bp)
(!sh && i >= bp->rx_nr_rings)) {
cp_count += tcs;
tx = 1;
+ if (bnxt_napi_has_mpc(bp, i))
+ cp_count++;
}
cpr->cp_ring_arr = kzalloc_objs(*cpr, cp_count);
@@ -4340,6 +4342,11 @@ static int bnxt_alloc_cp_rings(struct bnxt *bp)
} else {
int n, tc = k - rx;
+ /* MPC rings are at the highest k indices */
+ if (tc >= tcs) {
+ bnxt_set_mpc_cp_ring(bp, i, cpr2);
+ continue;
+ }
n = BNXT_TC_TO_RING_BASE(bp, tc) + j;
bp->tx_ring[n].tx_cpr = cpr2;
cpr2->cp_ring_type = BNXT_NQ_HDL_TYPE_TX;
@@ -4472,6 +4479,7 @@ static void bnxt_init_ring_struct(struct bnxt *bp)
rmem->vmem = (void **)&txr->tx_buf_ring;
}
}
+ bnxt_init_mpc_ring_struct(bp);
}
static void bnxt_init_rxbd_pages(struct bnxt_ring_struct *ring, u32 type)
@@ -5548,6 +5556,7 @@ static void bnxt_init_l2_fltr_tbl(struct bnxt *bp)
static void bnxt_free_mem(struct bnxt *bp, bool irq_re_init)
{
bnxt_free_vnic_attributes(bp);
+ bnxt_free_mpc_rings(bp);
bnxt_free_tx_rings(bp);
bnxt_free_rx_rings(bp);
bnxt_free_cp_rings(bp);
@@ -5561,6 +5570,7 @@ static void bnxt_free_mem(struct bnxt *bp, bool irq_re_init)
bnxt_free_port_stats(bp);
bnxt_free_ring_grps(bp);
bnxt_free_vnics(bp);
+ bnxt_free_mpcs(bp);
kfree(bp->tx_ring_map);
bp->tx_ring_map = NULL;
kfree(bp->tx_ring);
@@ -5670,6 +5680,10 @@ static int bnxt_alloc_mem(struct bnxt *bp, bool irq_re_init)
txr->tx_cpr = &bnapi2->cp_ring;
}
+ rc = bnxt_alloc_mpcs(bp);
+ if (rc)
+ goto alloc_mem_err;
+
rc = bnxt_alloc_stats(bp);
if (rc)
goto alloc_mem_err;
@@ -5698,6 +5712,10 @@ static int bnxt_alloc_mem(struct bnxt *bp, bool irq_re_init)
if (rc)
goto alloc_mem_err;
+ rc = bnxt_alloc_mpc_rings(bp);
+ if (rc)
+ goto alloc_mem_err;
+
rc = bnxt_alloc_cp_rings(bp);
if (rc)
goto alloc_mem_err;
@@ -7252,10 +7270,15 @@ static int hwrm_ring_alloc_send_msg(struct bnxt *bp,
req->cmpl_ring_id = cpu_to_le16(bnxt_cp_ring_for_tx(bp, txr));
req->length = cpu_to_le32(bp->tx_ring_mask + 1);
req->stat_ctx_id = cpu_to_le32(grp_info->fw_stats_ctx);
- req->queue_id = cpu_to_le16(ring->queue_id);
- if (bp->flags & BNXT_FLAG_TX_COAL_CMPL)
- req->cmpl_coal_cnt =
- RING_ALLOC_REQ_CMPL_COAL_CNT_COAL_64;
+ if (ring->queue_id == BNXT_MPC_QUEUE_ID) {
+ req->mpc_chnls_type = ring->mpc_chnl_type;
+ req->enables |= cpu_to_le32(RING_ALLOC_REQ_ENABLES_MPC_CHNLS_TYPE);
+ } else {
+ req->queue_id = cpu_to_le16(ring->queue_id);
+ if (bp->flags & BNXT_FLAG_TX_COAL_CMPL)
+ req->cmpl_coal_cnt =
+ RING_ALLOC_REQ_CMPL_COAL_CNT_COAL_64;
+ }
if ((bp->fw_cap & BNXT_FW_CAP_TX_TS_CMP) && bp->ptp_cfg)
flags |= RING_ALLOC_REQ_FLAGS_TX_PKT_TS_CMPL_ENABLE;
req->flags = cpu_to_le16(flags);
diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.h b/drivers/net/ethernet/broadcom/bnxt/bnxt.h
index ce86012a9ba7..083b95dcfd73 100644
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.h
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.h
@@ -686,6 +686,7 @@ struct nqe_cn {
#define BNXT_NQ_HDL_TYPE_SHIFT 24
#define BNXT_NQ_HDL_TYPE_RX 0x00
#define BNXT_NQ_HDL_TYPE_TX 0x01
+#define BNXT_NQ_HDL_TYPE_MP 0x02
#define BNXT_NQ_HDL_IDX(hdl) ((hdl) & BNXT_NQ_HDL_IDX_MASK)
#define BNXT_NQ_HDL_TYPE(hdl) (((hdl) & BNXT_NQ_HDL_TYPE_MASK) >> \
@@ -950,6 +951,8 @@ struct bnxt_ring_struct {
};
u32 handle;
u8 queue_id;
+#define BNXT_MPC_QUEUE_ID 0xff
+ u8 mpc_chnl_type;
};
struct tx_push_bd {
@@ -990,12 +993,16 @@ struct bnxt_tx_ring_info {
u16 tx_cons;
u16 tx_hw_cons;
u16 txq_index;
+ /* index for tx_ring[] or tx_mpc_ring[] in struct bnxt_napi */
u8 tx_napi_idx;
u8 kick_pending;
struct bnxt_db_info tx_db;
struct tx_bd *tx_desc_ring[MAX_TX_PAGES];
- struct bnxt_sw_tx_bd *tx_buf_ring;
+ union {
+ struct bnxt_sw_tx_bd *tx_buf_ring;
+ struct bnxt_sw_mpc_tx_bd *tx_mpc_buf_ring;
+ };
dma_addr_t tx_desc_mapping[MAX_TX_PAGES];
@@ -1241,6 +1248,7 @@ struct bnxt_napi {
struct bnxt_cp_ring_info cp_ring;
struct bnxt_rx_ring_info *rx_ring;
struct bnxt_tx_ring_info *tx_ring[BNXT_MAX_TXR_PER_NAPI];
+ struct bnxt_tx_ring_info **tx_mpc_ring;
void (*tx_int)(struct bnxt *, struct bnxt_napi *,
int budget);
@@ -2959,6 +2967,8 @@ int bnxt_alloc_rx_data(struct bnxt *bp, struct bnxt_rx_ring_info *rxr,
void bnxt_reuse_rx_data(struct bnxt_rx_ring_info *rxr, u16 cons, void *data);
u32 bnxt_fw_health_readl(struct bnxt *bp, int reg_idx);
bool bnxt_bs_trace_avail(struct bnxt *bp, u16 type);
+void bnxt_free_ring(struct bnxt *bp, struct bnxt_ring_mem_info *rmem);
+int bnxt_alloc_ring(struct bnxt *bp, struct bnxt_ring_mem_info *rmem);
void bnxt_set_tpa_flags(struct bnxt *bp);
void bnxt_set_ring_params(struct bnxt *);
void bnxt_set_rx_skb_mode(struct bnxt *bp, bool page_mode);
diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_mpc.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_mpc.c
index 183f1a3726c7..7bf686459170 100644
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_mpc.c
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_mpc.c
@@ -22,6 +22,8 @@ void bnxt_alloc_mpc_info(struct bnxt *bp, u8 mpc_chnls_cap)
void bnxt_free_mpc_info(struct bnxt *bp)
{
+ bnxt_free_mpc_rings(bp);
+ bnxt_free_mpcs(bp);
kfree(bp->mpc_info);
bp->mpc_info = NULL;
}
@@ -47,6 +49,55 @@ int bnxt_mpc_cp_rings_in_use(struct bnxt *bp)
return mpc->mpc_cp_rings;
}
+bool bnxt_napi_has_mpc(struct bnxt *bp, int i)
+{
+ struct bnxt_mpc_info *mpc = bp->mpc_info;
+ struct bnxt_napi *bnapi = bp->bnapi[i];
+ struct bnxt_tx_ring_info *txr;
+
+ if (!mpc)
+ return false;
+
+ txr = bnapi->tx_ring[0];
+ if (txr && !(bnapi->flags & BNXT_NAPI_FLAG_XDP))
+ return txr->txq_index < mpc->mpc_cp_rings;
+ return false;
+}
+
+void bnxt_set_mpc_cp_ring(struct bnxt *bp, int bnapi_idx,
+ struct bnxt_cp_ring_info *cpr)
+{
+ struct bnxt_mpc_info *mpc = bp->mpc_info;
+ struct bnxt_napi *bnapi;
+ bool found = false;
+ int i, j;
+
+ if (!mpc)
+ return;
+ bnapi = bp->bnapi[bnapi_idx];
+ /* Check both TCE and RCE MPCs for the matching NAPI */
+ for (i = 0; i < BNXT_MPC_TYPE_MAX; i++) {
+ int num = mpc->mpc_ring_count[i];
+
+ for (j = 0; j < num; j++) {
+ struct bnxt_tx_ring_info *txr = &mpc->mpc_rings[i][j];
+
+ /* Only 1 ring with index j will use this NAPI */
+ if (txr->bnapi == bnapi) {
+ txr->tx_cpr = cpr;
+ txr->tx_napi_idx = i;
+ bnapi->tx_mpc_ring[i] = txr;
+ found = true;
+ break;
+ }
+ }
+ }
+ if (!found)
+ netdev_warn_once(bp->dev, "No MPC match for napi index %d\n",
+ bnapi_idx);
+ cpr->cp_ring_type = BNXT_NQ_HDL_TYPE_MP;
+}
+
void bnxt_trim_mpc_rings(struct bnxt *bp)
{
struct bnxt_mpc_info *mpc = bp->mpc_info;
@@ -108,3 +159,157 @@ void bnxt_set_dflt_mpc_rings(struct bnxt *bp)
for (i = 0; i < BNXT_MPC_TYPE_MAX; i++)
mpc->mpc_ring_count[i] = 0;
}
+
+void bnxt_init_mpc_ring_struct(struct bnxt *bp)
+{
+ struct bnxt_mpc_info *mpc = bp->mpc_info;
+ int i, j;
+
+ if (!BNXT_MPC_CRYPTO_CAPABLE(bp))
+ return;
+
+ for (i = 0; i < BNXT_MPC_TYPE_MAX; i++) {
+ int num = mpc->mpc_ring_count[i];
+
+ if (!mpc->mpc_rings[i])
+ continue;
+ for (j = 0; j < num; j++) {
+ struct bnxt_ring_mem_info *rmem;
+ struct bnxt_ring_struct *ring;
+ struct bnxt_tx_ring_info *txr;
+
+ txr = &mpc->mpc_rings[i][j];
+
+ txr->tx_ring_struct.ring_mem.flags =
+ BNXT_RMEM_RING_PTE_FLAG;
+ txr->bnapi = bp->tx_ring[bp->tx_ring_map[j]].bnapi;
+ txr->txq_index = j;
+
+ ring = &txr->tx_ring_struct;
+ rmem = &ring->ring_mem;
+ rmem->nr_pages = bp->tx_nr_pages;
+ rmem->page_size = HW_TXBD_RING_SIZE;
+ rmem->pg_arr = (void **)txr->tx_desc_ring;
+ rmem->dma_arr = txr->tx_desc_mapping;
+ rmem->vmem_size = SW_MPC_TXBD_RING_SIZE *
+ bp->tx_nr_pages;
+ rmem->vmem = (void **)&txr->tx_mpc_buf_ring;
+ }
+ }
+}
+
+int bnxt_alloc_mpcs(struct bnxt *bp)
+{
+ struct bnxt_mpc_info *mpc = bp->mpc_info;
+ int i, rc = 0;
+
+ if (!BNXT_MPC_CRYPTO_CAPABLE(bp))
+ return 0;
+
+ for (i = 0; i < BNXT_MPC_TYPE_MAX; i++) {
+ int num = mpc->mpc_ring_count[i];
+ struct bnxt_tx_ring_info *txr;
+
+ if (!num)
+ continue;
+ txr = kzalloc_objs(*txr, num);
+ if (!txr) {
+ rc = -ENOMEM;
+ goto alloc_mpcs_exit;
+ }
+ mpc->mpc_rings[i] = txr;
+ }
+
+ for (i = 0; i < bp->cp_nr_rings; i++) {
+ struct bnxt_napi *bnapi = bp->bnapi[i];
+
+ if (!bnxt_napi_has_mpc(bp, i))
+ continue;
+ bnapi->tx_mpc_ring = kzalloc_objs(*bnapi->tx_mpc_ring,
+ BNXT_MPC_TYPE_MAX);
+ if (!bnapi->tx_mpc_ring) {
+ rc = -ENOMEM;
+ goto alloc_mpcs_exit;
+ }
+ }
+alloc_mpcs_exit:
+ if (rc)
+ bnxt_free_mpcs(bp);
+ return rc;
+}
+
+void bnxt_free_mpcs(struct bnxt *bp)
+{
+ struct bnxt_mpc_info *mpc = bp->mpc_info;
+ int i;
+
+ if (!mpc)
+ return;
+
+ for (i = 0; i < BNXT_MPC_TYPE_MAX; i++) {
+ kfree(mpc->mpc_rings[i]);
+ mpc->mpc_rings[i] = NULL;
+ }
+ if (!bp->bnapi)
+ return;
+ for (i = 0; i < bp->cp_nr_rings; i++) {
+ struct bnxt_napi *bnapi = bp->bnapi[i];
+
+ kfree(bnapi->tx_mpc_ring);
+ bnapi->tx_mpc_ring = NULL;
+ }
+}
+
+int bnxt_alloc_mpc_rings(struct bnxt *bp)
+{
+ struct bnxt_mpc_info *mpc = bp->mpc_info;
+ int i, j, rc = 0;
+
+ if (!mpc)
+ return 0;
+
+ for (i = 0; i < BNXT_MPC_TYPE_MAX; i++) {
+ int num = mpc->mpc_ring_count[i];
+
+ for (j = 0; j < num; j++) {
+ struct bnxt_tx_ring_info *txr = &mpc->mpc_rings[i][j];
+ struct bnxt_ring_struct *ring;
+
+ ring = &txr->tx_ring_struct;
+ rc = bnxt_alloc_ring(bp, &ring->ring_mem);
+ if (rc)
+ goto alloc_mpc_rings_exit;
+ ring->queue_id = BNXT_MPC_QUEUE_ID;
+ ring->mpc_chnl_type = i;
+ /* for stats context */
+ ring->grp_idx = txr->bnapi->index;
+ spin_lock_init(&txr->tx_lock);
+ }
+ }
+alloc_mpc_rings_exit:
+ if (rc)
+ bnxt_free_mpc_rings(bp);
+ return rc;
+}
+
+void bnxt_free_mpc_rings(struct bnxt *bp)
+{
+ struct bnxt_mpc_info *mpc = bp->mpc_info;
+ int i, j;
+
+ if (!mpc)
+ return;
+
+ for (i = 0; i < BNXT_MPC_TYPE_MAX; i++) {
+ int num = mpc->mpc_ring_count[i];
+
+ if (!mpc->mpc_rings[i])
+ continue;
+ for (j = 0; j < num; j++) {
+ struct bnxt_tx_ring_info *txr = &mpc->mpc_rings[i][j];
+ struct bnxt_ring_struct *ring = &txr->tx_ring_struct;
+
+ bnxt_free_ring(bp, &ring->ring_mem);
+ }
+ }
+}
diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_mpc.h b/drivers/net/ethernet/broadcom/bnxt/bnxt_mpc.h
index 4ff8cad75a23..b54daf4ddd2f 100644
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_mpc.h
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_mpc.h
@@ -29,6 +29,12 @@ struct bnxt_mpc_info {
struct bnxt_tx_ring_info *mpc_rings[BNXT_MPC_TYPE_MAX];
};
+struct bnxt_sw_mpc_tx_bd {
+ unsigned long handle;
+};
+
+#define SW_MPC_TXBD_RING_SIZE (sizeof(struct bnxt_sw_mpc_tx_bd) * TX_DESC_CNT)
+
#define BNXT_MPC_CRYPTO_CAP \
(FUNC_QCAPS_RESP_MPC_CHNLS_CAP_TCE | FUNC_QCAPS_RESP_MPC_CHNLS_CAP_RCE)
@@ -42,8 +48,16 @@ void bnxt_alloc_mpc_info(struct bnxt *bp, u8 mpc_chnls_cap);
void bnxt_free_mpc_info(struct bnxt *bp);
int bnxt_mpc_tx_rings_in_use(struct bnxt *bp);
int bnxt_mpc_cp_rings_in_use(struct bnxt *bp);
+bool bnxt_napi_has_mpc(struct bnxt *bp, int i);
+void bnxt_set_mpc_cp_ring(struct bnxt *bp, int bnapi_idx,
+ struct bnxt_cp_ring_info *cpr);
void bnxt_trim_mpc_rings(struct bnxt *bp);
void bnxt_set_dflt_mpc_rings(struct bnxt *bp);
+void bnxt_init_mpc_ring_struct(struct bnxt *bp);
+int bnxt_alloc_mpcs(struct bnxt *bp);
+void bnxt_free_mpcs(struct bnxt *bp);
+int bnxt_alloc_mpc_rings(struct bnxt *bp);
+void bnxt_free_mpc_rings(struct bnxt *bp);
#else
static inline void bnxt_alloc_mpc_info(struct bnxt *bp, u8 mpc_chnls_cap)
{
@@ -63,6 +77,16 @@ static inline int bnxt_mpc_cp_rings_in_use(struct bnxt *bp)
return 0;
}
+static inline bool bnxt_napi_has_mpc(struct bnxt *bp, int i)
+{
+ return false;
+}
+
+static inline void bnxt_set_mpc_cp_ring(struct bnxt *bp, int bnapi_idx,
+ struct bnxt_cp_ring_info *cpr)
+{
+}
+
static inline void bnxt_trim_mpc_rings(struct bnxt *bp)
{
}
@@ -70,5 +94,27 @@ static inline void bnxt_trim_mpc_rings(struct bnxt *bp)
static inline void bnxt_set_dflt_mpc_rings(struct bnxt *bp)
{
}
+
+static inline void bnxt_init_mpc_ring_struct(struct bnxt *bp)
+{
+}
+
+static inline int bnxt_alloc_mpcs(struct bnxt *bp)
+{
+ return 0;
+}
+
+static inline void bnxt_free_mpcs(struct bnxt *bp)
+{
+}
+
+static inline int bnxt_alloc_mpc_rings(struct bnxt *bp)
+{
+ return 0;
+}
+
+static inline void bnxt_free_mpc_rings(struct bnxt *bp)
+{
+}
#endif /* CONFIG_BNXT_TLS */
#endif /* BNXT_MPC_H */
--
2.51.0
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [PATCH net-next v3 06/15] bnxt_en: Allocate and free MPC channels from firmware
2026-06-14 7:23 [PATCH net-next v3 00/15] bnxt_en: Add kTLS TX offload support Michael Chan
` (4 preceding siblings ...)
2026-06-14 7:23 ` [PATCH net-next v3 05/15] bnxt_en: Allocate and free MPC software structures Michael Chan
@ 2026-06-14 7:23 ` Michael Chan
2026-06-14 7:23 ` [PATCH net-next v3 07/15] bnxt_en: Allocate crypto structure and backing store Michael Chan
` (8 subsequent siblings)
14 siblings, 0 replies; 16+ messages in thread
From: Michael Chan @ 2026-06-14 7:23 UTC (permalink / raw)
To: davem
Cc: netdev, edumazet, kuba, pabeni, andrew+netdev, pavan.chebbi,
andrew.gospodarek, Ajit Khaparde
Allocate and free the reserved MPC TX rings and completion rings from
firmware. MPC backing store memory also needs to be configured in
order to successfully allocate the MPC TX rings.
Reviewed-by: Ajit Khaparde <ajit.khaparde@broadcom.com>
Reviewed-by: Pavan Chebbi <pavan.chebbi@broadcom.com>
Signed-off-by: Michael Chan <michael.chan@broadcom.com>
---
drivers/net/ethernet/broadcom/bnxt/bnxt.c | 30 ++++--
drivers/net/ethernet/broadcom/bnxt/bnxt.h | 6 ++
drivers/net/ethernet/broadcom/bnxt/bnxt_mpc.c | 92 +++++++++++++++++++
drivers/net/ethernet/broadcom/bnxt/bnxt_mpc.h | 16 ++++
4 files changed, 135 insertions(+), 9 deletions(-)
diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
index ffedb9ee0454..0d6d4bb7fd6f 100644
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
@@ -7473,8 +7473,7 @@ static int bnxt_hwrm_rx_agg_ring_alloc(struct bnxt *bp,
return 0;
}
-static int bnxt_hwrm_cp_ring_alloc_p5(struct bnxt *bp,
- struct bnxt_cp_ring_info *cpr)
+int bnxt_hwrm_cp_ring_alloc_p5(struct bnxt *bp, struct bnxt_cp_ring_info *cpr)
{
const u32 type = HWRM_RING_ALLOC_CMPL;
struct bnxt_napi *bnapi = cpr->bnapi;
@@ -7492,8 +7491,8 @@ static int bnxt_hwrm_cp_ring_alloc_p5(struct bnxt *bp,
return 0;
}
-static int bnxt_hwrm_tx_ring_alloc(struct bnxt *bp,
- struct bnxt_tx_ring_info *txr, u32 tx_idx)
+int bnxt_hwrm_tx_ring_alloc(struct bnxt *bp, struct bnxt_tx_ring_info *txr,
+ u32 tx_idx)
{
struct bnxt_ring_struct *ring = &txr->tx_ring_struct;
const u32 type = HWRM_RING_ALLOC_TX;
@@ -7578,6 +7577,9 @@ static int bnxt_hwrm_ring_alloc(struct bnxt *bp)
goto err_out;
}
}
+
+ rc = bnxt_hwrm_mpc_ring_alloc(bp);
+
err_out:
return rc;
}
@@ -7635,9 +7637,8 @@ static int hwrm_ring_free_send_msg(struct bnxt *bp,
return 0;
}
-static void bnxt_hwrm_tx_ring_free(struct bnxt *bp,
- struct bnxt_tx_ring_info *txr,
- bool close_path)
+void bnxt_hwrm_tx_ring_free(struct bnxt *bp, struct bnxt_tx_ring_info *txr,
+ bool close_path)
{
struct bnxt_ring_struct *ring = &txr->tx_ring_struct;
u32 cmpl_ring_id;
@@ -7696,8 +7697,7 @@ static void bnxt_hwrm_rx_agg_ring_free(struct bnxt *bp,
bp->grp_info[grp_idx].agg_fw_ring_id = INVALID_HW_RING_ID;
}
-static void bnxt_hwrm_cp_ring_free(struct bnxt *bp,
- struct bnxt_cp_ring_info *cpr)
+void bnxt_hwrm_cp_ring_free(struct bnxt *bp, struct bnxt_cp_ring_info *cpr)
{
struct bnxt_ring_struct *ring;
@@ -7731,6 +7731,8 @@ static void bnxt_hwrm_ring_free(struct bnxt *bp, bool close_path)
if (!bp->bnapi)
return;
+ bnxt_hwrm_mpc_ring_free(bp, close_path);
+
for (i = 0; i < bp->tx_nr_rings; i++)
bnxt_hwrm_tx_ring_free(bp, &bp->tx_ring[i], close_path);
@@ -9368,12 +9370,21 @@ static int bnxt_hwrm_func_backing_store_cfg_v2(struct bnxt *bp,
static int bnxt_backing_store_cfg_v2(struct bnxt *bp)
{
+ struct bnxt_mpc_info *mpc = bp->mpc_info;
struct bnxt_ctx_mem_info *ctx = bp->ctx;
struct bnxt_ctx_mem_type *ctxm;
u16 last_type = BNXT_CTX_INV;
int rc = 0;
u16 type;
+ if (mpc && mpc->mpc_chnls_cap) {
+ ctxm = &ctx->ctx_arr[BNXT_CTX_MTQM];
+ rc = bnxt_setup_ctxm_pg_tbls(bp, ctxm, ctxm->max_entries, 1);
+ if (rc)
+ return rc;
+ last_type = BNXT_CTX_MTQM;
+ }
+
for (type = BNXT_CTX_SRT; type <= BNXT_CTX_QPC; type++) {
ctxm = &ctx->ctx_arr[type];
if (!bnxt_bs_trace_avail(bp, type))
@@ -11324,6 +11335,7 @@ static int bnxt_init_nic(struct bnxt *bp, bool irq_re_init)
bnxt_init_cp_rings(bp);
bnxt_init_rx_rings(bp);
bnxt_init_tx_rings(bp);
+ bnxt_init_mpc_rings(bp);
bnxt_init_ring_grps(bp, irq_re_init);
bnxt_init_vnics(bp);
diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.h b/drivers/net/ethernet/broadcom/bnxt/bnxt.h
index 083b95dcfd73..f875f130f070 100644
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.h
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.h
@@ -2997,6 +2997,12 @@ int bnxt_hwrm_vnic_cfg(struct bnxt *bp, struct bnxt_vnic_info *vnic);
int bnxt_hwrm_vnic_alloc(struct bnxt *bp, struct bnxt_vnic_info *vnic,
unsigned int start_rx_ring_idx,
unsigned int nr_rings);
+int bnxt_hwrm_cp_ring_alloc_p5(struct bnxt *bp, struct bnxt_cp_ring_info *cpr);
+int bnxt_hwrm_tx_ring_alloc(struct bnxt *bp, struct bnxt_tx_ring_info *txr,
+ u32 tx_idx);
+void bnxt_hwrm_tx_ring_free(struct bnxt *bp, struct bnxt_tx_ring_info *txr,
+ bool close_path);
+void bnxt_hwrm_cp_ring_free(struct bnxt *bp, struct bnxt_cp_ring_info *cpr);
int bnxt_total_tx_rings(struct bnxt *bp);
int __bnxt_hwrm_get_tx_rings(struct bnxt *bp, u16 fid, int *tx_rings);
int bnxt_nq_rings_in_use(struct bnxt *bp);
diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_mpc.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_mpc.c
index 7bf686459170..cd104b7ff1d7 100644
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_mpc.c
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_mpc.c
@@ -313,3 +313,95 @@ void bnxt_free_mpc_rings(struct bnxt *bp)
}
}
}
+
+void bnxt_init_mpc_rings(struct bnxt *bp)
+{
+ struct bnxt_mpc_info *mpc = bp->mpc_info;
+ int i, j;
+
+ if (!mpc)
+ return;
+
+ for (i = 0; i < BNXT_MPC_TYPE_MAX; i++) {
+ int num = mpc->mpc_ring_count[i];
+
+ for (j = 0; j < num; j++) {
+ struct bnxt_tx_ring_info *txr = &mpc->mpc_rings[i][j];
+ struct bnxt_ring_struct *ring = &txr->tx_ring_struct;
+
+ txr->tx_prod = 0;
+ txr->tx_cons = 0;
+ txr->tx_hw_cons = 0;
+ ring->fw_ring_id = INVALID_HW_RING_ID;
+ }
+ }
+}
+
+static int bnxt_hwrm_one_mpc_ring_alloc(struct bnxt *bp,
+ struct bnxt_tx_ring_info *txr)
+{
+ struct bnxt_cp_ring_info *cpr = txr->tx_cpr;
+ struct bnxt_ring_struct *ring;
+ int rc;
+
+ ring = &cpr->cp_ring_struct;
+ if (ring->fw_ring_id == INVALID_HW_RING_ID) {
+ rc = bnxt_hwrm_cp_ring_alloc_p5(bp, cpr);
+ if (rc)
+ return rc;
+ }
+ /* tx_idx not used on P5_PLUS, so set it to 0 */
+ return bnxt_hwrm_tx_ring_alloc(bp, txr, 0);
+}
+
+int bnxt_hwrm_mpc_ring_alloc(struct bnxt *bp)
+{
+ struct bnxt_mpc_info *mpc = bp->mpc_info;
+ int i, j, rc = 0;
+
+ if (!mpc)
+ return 0;
+
+ for (i = 0; i < BNXT_MPC_TYPE_MAX; i++) {
+ int num = mpc->mpc_ring_count[i];
+
+ for (j = 0; j < num; j++) {
+ struct bnxt_tx_ring_info *txr = &mpc->mpc_rings[i][j];
+
+ rc = bnxt_hwrm_one_mpc_ring_alloc(bp, txr);
+ if (rc)
+ goto mpc_ring_alloc_exit;
+ }
+ }
+mpc_ring_alloc_exit:
+ if (rc)
+ bnxt_hwrm_mpc_ring_free(bp, false);
+ return rc;
+}
+
+void bnxt_hwrm_mpc_ring_free(struct bnxt *bp, bool close_path)
+{
+ struct bnxt_mpc_info *mpc = bp->mpc_info;
+ struct bnxt_cp_ring_info *cpr;
+ int i, j;
+
+ if (!mpc)
+ return;
+
+ for (i = 0; i < BNXT_MPC_TYPE_MAX; i++) {
+ for (j = 0; j < mpc->mpc_ring_count[i]; j++)
+ bnxt_hwrm_tx_ring_free(bp, &mpc->mpc_rings[i][j],
+ close_path);
+ }
+ /* CP rings must be freed at the end to guarantee that the HWRM_DONE
+ * responses for HWRM_RING_FREE can still be seen on the CP rings.
+ */
+ for (i = 0; i < BNXT_MPC_TYPE_MAX; i++) {
+ for (j = 0; j < mpc->mpc_ring_count[i]; j++) {
+ cpr = mpc->mpc_rings[i][j].tx_cpr;
+ if (cpr && cpr->cp_ring_struct.fw_ring_id !=
+ INVALID_HW_RING_ID)
+ bnxt_hwrm_cp_ring_free(bp, cpr);
+ }
+ }
+}
diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_mpc.h b/drivers/net/ethernet/broadcom/bnxt/bnxt_mpc.h
index b54daf4ddd2f..cdc03a074963 100644
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_mpc.h
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_mpc.h
@@ -58,6 +58,9 @@ int bnxt_alloc_mpcs(struct bnxt *bp);
void bnxt_free_mpcs(struct bnxt *bp);
int bnxt_alloc_mpc_rings(struct bnxt *bp);
void bnxt_free_mpc_rings(struct bnxt *bp);
+void bnxt_init_mpc_rings(struct bnxt *bp);
+int bnxt_hwrm_mpc_ring_alloc(struct bnxt *bp);
+void bnxt_hwrm_mpc_ring_free(struct bnxt *bp, bool close_path);
#else
static inline void bnxt_alloc_mpc_info(struct bnxt *bp, u8 mpc_chnls_cap)
{
@@ -116,5 +119,18 @@ static inline int bnxt_alloc_mpc_rings(struct bnxt *bp)
static inline void bnxt_free_mpc_rings(struct bnxt *bp)
{
}
+
+static inline void bnxt_init_mpc_rings(struct bnxt *bp)
+{
+}
+
+static inline int bnxt_hwrm_mpc_ring_alloc(struct bnxt *bp)
+{
+ return 0;
+}
+
+static inline void bnxt_hwrm_mpc_ring_free(struct bnxt *bp, bool close_path)
+{
+}
#endif /* CONFIG_BNXT_TLS */
#endif /* BNXT_MPC_H */
--
2.51.0
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [PATCH net-next v3 07/15] bnxt_en: Allocate crypto structure and backing store
2026-06-14 7:23 [PATCH net-next v3 00/15] bnxt_en: Add kTLS TX offload support Michael Chan
` (5 preceding siblings ...)
2026-06-14 7:23 ` [PATCH net-next v3 06/15] bnxt_en: Allocate and free MPC channels from firmware Michael Chan
@ 2026-06-14 7:23 ` Michael Chan
2026-06-14 7:24 ` [PATCH net-next v3 08/15] bnxt_en: Reserve crypto RX and TX key contexts on a PF Michael Chan
` (7 subsequent siblings)
14 siblings, 0 replies; 16+ messages in thread
From: Michael Chan @ 2026-06-14 7:23 UTC (permalink / raw)
To: davem
Cc: netdev, edumazet, kuba, pabeni, andrew+netdev, pavan.chebbi,
andrew.gospodarek
If the chip and firmware support crypto (TLS) offload, allocate a
bp->crypto_info software structure and backing store to support the RX
and TX contexts. Each offloaded TLS connection requires a backing
store context for each direction.
bp->crypto_info will stay persistent even if kTLS is no longer
supported after a FW reset. This makes it easier to avoid NULL
dereference of bp->crypto_info during FW reset and kTLS offload
race conditions.
Reviewed-by: Andy Gospodarek <andrew.gospodarek@broadcom.com>
Reviewed-by: Pavan Chebbi <pavan.chebbi@broadcom.com>
Signed-off-by: Michael Chan <michael.chan@broadcom.com>
---
v3:
bp->crypto_info and bp->ktls_info now stay persistent for the driver's
lifetime. max keys are refreshed after re-init.
v2:
https://lore.kernel.org/netdev/20260512212105.3488258-8-michael.chan@broadcom.com/
---
drivers/net/ethernet/broadcom/bnxt/Makefile | 2 +-
drivers/net/ethernet/broadcom/bnxt/bnxt.c | 21 +++++
drivers/net/ethernet/broadcom/bnxt/bnxt.h | 4 +
.../net/ethernet/broadcom/bnxt/bnxt_crypto.c | 82 +++++++++++++++++++
.../net/ethernet/broadcom/bnxt/bnxt_crypto.h | 47 +++++++++++
include/linux/bnxt/hsi.h | 37 +++++++++
6 files changed, 192 insertions(+), 1 deletion(-)
create mode 100644 drivers/net/ethernet/broadcom/bnxt/bnxt_crypto.c
create mode 100644 drivers/net/ethernet/broadcom/bnxt/bnxt_crypto.h
diff --git a/drivers/net/ethernet/broadcom/bnxt/Makefile b/drivers/net/ethernet/broadcom/bnxt/Makefile
index 0506574c007a..3acdb81fa958 100644
--- a/drivers/net/ethernet/broadcom/bnxt/Makefile
+++ b/drivers/net/ethernet/broadcom/bnxt/Makefile
@@ -5,4 +5,4 @@ bnxt_en-y := bnxt.o bnxt_hwrm.o bnxt_sriov.o bnxt_ethtool.o bnxt_dcb.o bnxt_ulp.
bnxt_en-$(CONFIG_BNXT_FLOWER_OFFLOAD) += bnxt_tc.o
bnxt_en-$(CONFIG_DEBUG_FS) += bnxt_debugfs.o
bnxt_en-$(CONFIG_BNXT_HWMON) += bnxt_hwmon.o
-bnxt_en-$(CONFIG_BNXT_TLS) += bnxt_mpc.o
+bnxt_en-$(CONFIG_BNXT_TLS) += bnxt_mpc.o bnxt_crypto.o
diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
index 0d6d4bb7fd6f..dd8b3e09fd2d 100644
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
@@ -77,6 +77,7 @@
#include "bnxt_gso.h"
#include <net/tso.h>
#include "bnxt_mpc.h"
+#include "bnxt_crypto.h"
#define BNXT_TX_TIMEOUT (5 * HZ)
#define BNXT_DEF_MSG_ENABLE (NETIF_MSG_DRV | NETIF_MSG_HW | \
@@ -9370,6 +9371,7 @@ static int bnxt_hwrm_func_backing_store_cfg_v2(struct bnxt *bp,
static int bnxt_backing_store_cfg_v2(struct bnxt *bp)
{
+ struct bnxt_crypto_info *crypto = bp->crypto_info;
struct bnxt_mpc_info *mpc = bp->mpc_info;
struct bnxt_ctx_mem_info *ctx = bp->ctx;
struct bnxt_ctx_mem_type *ctxm;
@@ -9377,6 +9379,19 @@ static int bnxt_backing_store_cfg_v2(struct bnxt *bp)
int rc = 0;
u16 type;
+ if (BNXT_SUPPORTS_KTLS(bp)) {
+ ctxm = &ctx->ctx_arr[BNXT_CTX_TCK];
+ rc = bnxt_setup_ctxm_pg_tbls(bp, ctxm,
+ BNXT_TCK(crypto).max_ctx, 1);
+ if (rc)
+ return rc;
+ ctxm = &ctx->ctx_arr[BNXT_CTX_RCK];
+ rc = bnxt_setup_ctxm_pg_tbls(bp, ctxm,
+ BNXT_RCK(crypto).max_ctx, 1);
+ if (rc)
+ return rc;
+ last_type = BNXT_CTX_RCK;
+ }
if (mpc && mpc->mpc_chnls_cap) {
ctxm = &ctx->ctx_arr[BNXT_CTX_MTQM];
rc = bnxt_setup_ctxm_pg_tbls(bp, ctxm, ctxm->max_entries, 1);
@@ -9919,6 +9934,10 @@ static int __bnxt_hwrm_func_qcaps(struct bnxt *bp)
bp->fw_cap |= BNXT_FW_CAP_BACKING_STORE_V2;
if (flags_ext & FUNC_QCAPS_RESP_FLAGS_EXT_TX_COAL_CMPL_CAP)
bp->flags |= BNXT_FLAG_TX_COAL_CMPL;
+ if (flags_ext & FUNC_QCAPS_RESP_FLAGS_EXT_KTLS_SUPPORTED)
+ bnxt_alloc_crypto_info(bp, resp);
+ else
+ bp->fw_cap &= ~BNXT_FW_CAP_KTLS;
flags_ext2 = le32_to_cpu(resp->flags_ext2);
if (flags_ext2 & FUNC_QCAPS_RESP_FLAGS_EXT2_RX_ALL_PKTS_TIMESTAMPS_SUPPORTED)
@@ -16559,6 +16578,7 @@ static void bnxt_remove_one(struct pci_dev *pdev)
bp->ptp_cfg = NULL;
kfree(bp->fw_health);
bp->fw_health = NULL;
+ bnxt_free_crypto_info(bp);
bnxt_free_mpc_info(bp);
bnxt_cleanup_pci(bp);
bnxt_free_ctx_mem(bp, true);
@@ -17238,6 +17258,7 @@ static int bnxt_init_one(struct pci_dev *pdev, const struct pci_device_id *ent)
bnxt_ethtool_free(bp);
kfree(bp->fw_health);
bp->fw_health = NULL;
+ bnxt_free_crypto_info(bp);
bnxt_free_mpc_info(bp);
bnxt_cleanup_pci(bp);
bnxt_free_ctx_mem(bp, true);
diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.h b/drivers/net/ethernet/broadcom/bnxt/bnxt.h
index f875f130f070..954c679e0290 100644
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.h
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.h
@@ -2460,6 +2460,7 @@ struct bnxt {
u8 tph_mode;
struct bnxt_mpc_info *mpc_info;
+ struct bnxt_crypto_info *crypto_info;
unsigned int current_interval;
#define BNXT_TIMER_INTERVAL HZ
@@ -2547,6 +2548,7 @@ struct bnxt {
#define BNXT_FW_CAP_NPAR_1_2 BIT_ULL(42)
#define BNXT_FW_CAP_MIRROR_ON_ROCE BIT_ULL(43)
#define BNXT_FW_CAP_PTP_PTM BIT_ULL(44)
+ #define BNXT_FW_CAP_KTLS BIT_ULL(45)
u32 fw_dbg_cap;
@@ -2572,6 +2574,8 @@ struct bnxt {
((bp)->fw_cap & BNXT_FW_CAP_SW_MAX_RESOURCE_LIMITS)
#define BNXT_MIRROR_ON_ROCE_CAP(bp) \
((bp)->fw_cap & BNXT_FW_CAP_MIRROR_ON_ROCE)
+#define BNXT_SUPPORTS_KTLS(bp) \
+ ((bp)->fw_cap & BNXT_FW_CAP_KTLS)
u32 hwrm_spec_code;
u16 hwrm_cmd_seq;
diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_crypto.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_crypto.c
new file mode 100644
index 000000000000..0777a26600f5
--- /dev/null
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_crypto.c
@@ -0,0 +1,82 @@
+// SPDX-License-Identifier: GPL-2.0-only
+/* Copyright (c) 2026 Broadcom Inc. */
+
+#include <linux/stddef.h>
+#include <linux/types.h>
+#include <linux/kernel.h>
+#include <linux/slab.h>
+#include <linux/bnxt/hsi.h>
+
+#include "bnxt.h"
+#include "bnxt_crypto.h"
+
+static u32 bnxt_get_max_crypto_key_ctx(struct bnxt *bp, int key_type)
+{
+ u32 fw_maj = BNXT_FW_MAJ(bp);
+
+ if (key_type == BNXT_TX_CRYPTO_KEY_TYPE)
+ return (fw_maj < 233) ? BNXT_MAX_TX_CRYPTO_KEYS_PRE_233FW :
+ BNXT_MAX_TX_CRYPTO_KEYS;
+
+ return (fw_maj < 233) ? BNXT_MAX_RX_CRYPTO_KEYS_PRE_233FW :
+ BNXT_MAX_RX_CRYPTO_KEYS;
+}
+
+/**
+ * bnxt_alloc_crypto_info - Allocate and initialize crypto offload context
+ * @bp: pointer to bnxt device
+ * @resp: pointer to firmware capability response
+ *
+ * Allocates the main crypto info structure
+ *
+ * This function is called during device initialization when firmware
+ * reports crypto offload capability. If allocation fails, crypto offload
+ * will not be available but the device will still function.
+ *
+ * Context: Process context
+ */
+void bnxt_alloc_crypto_info(struct bnxt *bp,
+ struct hwrm_func_qcaps_output *resp)
+{
+ u16 max_keys = le16_to_cpu(resp->max_key_ctxs_alloc);
+ struct bnxt_crypto_info *crypto = bp->crypto_info;
+ struct bnxt_kctx *kctx;
+ int i;
+
+ if (BNXT_VF(bp))
+ return;
+ if (!crypto) {
+ crypto = kzalloc_obj(*crypto);
+ if (!crypto) {
+ netdev_warn(bp->dev,
+ "Unable to allocate crypto info\n");
+ return;
+ }
+ for (i = 0; i < BNXT_MAX_CRYPTO_KEY_TYPE; i++) {
+ kctx = &crypto->kctx[i];
+ kctx->type = i;
+ }
+ bp->crypto_info = crypto;
+ }
+ for (i = 0; i < BNXT_MAX_CRYPTO_KEY_TYPE; i++) {
+ kctx = &crypto->kctx[i];
+ kctx->max_ctx = bnxt_get_max_crypto_key_ctx(bp, i);
+ }
+ crypto->max_key_ctxs_alloc = max_keys;
+ bp->fw_cap |= BNXT_FW_CAP_KTLS;
+}
+
+/**
+ * bnxt_free_crypto_info - Free crypto offload resources
+ * @bp: pointer to bnxt device
+ *
+ * Frees all resources associated with crypto offload. Call this function
+ * only when it is idle with nothing in-flight.
+ *
+ * Context: Process context during device shutdown/removal
+ */
+void bnxt_free_crypto_info(struct bnxt *bp)
+{
+ kfree(bp->crypto_info);
+ bp->crypto_info = NULL;
+}
diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_crypto.h b/drivers/net/ethernet/broadcom/bnxt/bnxt_crypto.h
new file mode 100644
index 000000000000..629388fe1e6d
--- /dev/null
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_crypto.h
@@ -0,0 +1,47 @@
+/* SPDX-License-Identifier: GPL-2.0-only */
+/* Copyright (c) 2026 Broadcom Inc. */
+
+#ifndef BNXT_CRYPTO_H
+#define BNXT_CRYPTO_H
+
+#define BNXT_MAX_TX_CRYPTO_KEYS 204800
+#define BNXT_MAX_RX_CRYPTO_KEYS 204800
+
+#define BNXT_MAX_TX_CRYPTO_KEYS_PRE_233FW 65535
+#define BNXT_MAX_RX_CRYPTO_KEYS_PRE_233FW 65535
+
+enum bnxt_crypto_type {
+ BNXT_TX_CRYPTO_KEY_TYPE = FUNC_KEY_CTX_ALLOC_REQ_KEY_CTX_TYPE_TX,
+ BNXT_RX_CRYPTO_KEY_TYPE = FUNC_KEY_CTX_ALLOC_REQ_KEY_CTX_TYPE_RX,
+ BNXT_MAX_CRYPTO_KEY_TYPE,
+};
+
+struct bnxt_kctx {
+ u8 type;
+ u32 max_ctx;
+};
+
+struct bnxt_crypto_info {
+ u16 max_key_ctxs_alloc;
+
+ struct bnxt_kctx kctx[BNXT_MAX_CRYPTO_KEY_TYPE];
+};
+
+#define BNXT_TCK(crypto) ((crypto)->kctx[BNXT_TX_CRYPTO_KEY_TYPE])
+#define BNXT_RCK(crypto) ((crypto)->kctx[BNXT_RX_CRYPTO_KEY_TYPE])
+
+#ifdef CONFIG_BNXT_TLS
+void bnxt_alloc_crypto_info(struct bnxt *bp,
+ struct hwrm_func_qcaps_output *resp);
+void bnxt_free_crypto_info(struct bnxt *bp);
+#else
+static inline void bnxt_alloc_crypto_info(struct bnxt *bp,
+ struct hwrm_func_qcaps_output *resp)
+{
+}
+
+static inline void bnxt_free_crypto_info(struct bnxt *bp)
+{
+}
+#endif /* CONFIG_BNXT_TLS */
+#endif /* BNXT_CRYPTO_H */
diff --git a/include/linux/bnxt/hsi.h b/include/linux/bnxt/hsi.h
index 74a6bf278d88..03444b81beb0 100644
--- a/include/linux/bnxt/hsi.h
+++ b/include/linux/bnxt/hsi.h
@@ -3837,6 +3837,43 @@ struct hwrm_func_ptp_ext_qcfg_output {
u8 valid;
};
+/* hwrm_func_key_ctx_alloc_input (size:384b/48B) */
+struct hwrm_func_key_ctx_alloc_input {
+ __le16 req_type;
+ __le16 cmpl_ring;
+ __le16 seq_id;
+ __le16 target_id;
+ __le64 resp_addr;
+ __le16 fid;
+ __le16 num_key_ctxs;
+ __le32 dma_bufr_size_bytes;
+ u8 key_ctx_type;
+ #define FUNC_KEY_CTX_ALLOC_REQ_KEY_CTX_TYPE_TX 0x0UL
+ #define FUNC_KEY_CTX_ALLOC_REQ_KEY_CTX_TYPE_RX 0x1UL
+ #define FUNC_KEY_CTX_ALLOC_REQ_KEY_CTX_TYPE_QUIC_TX 0x2UL
+ #define FUNC_KEY_CTX_ALLOC_REQ_KEY_CTX_TYPE_QUIC_RX 0x3UL
+ #define FUNC_KEY_CTX_ALLOC_REQ_KEY_CTX_TYPE_LAST FUNC_KEY_CTX_ALLOC_REQ_KEY_CTX_TYPE_QUIC_RX
+ u8 unused_0[7];
+ __le64 host_dma_addr;
+ __le32 partition_start_xid;
+ u8 unused_1[4];
+};
+
+/* hwrm_func_key_ctx_alloc_output (size:192b/24B) */
+struct hwrm_func_key_ctx_alloc_output {
+ __le16 error_code;
+ __le16 req_type;
+ __le16 seq_id;
+ __le16 resp_len;
+ __le16 num_key_ctxs_allocated;
+ u8 flags;
+ #define FUNC_KEY_CTX_ALLOC_RESP_FLAGS_KEY_CTXS_CONTIGUOUS 0x1UL
+ u8 unused_0;
+ __le32 partition_start_xid;
+ u8 unused_1[7];
+ u8 valid;
+};
+
/* hwrm_func_backing_store_cfg_v2_input (size:512b/64B) */
struct hwrm_func_backing_store_cfg_v2_input {
__le16 req_type;
--
2.51.0
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [PATCH net-next v3 08/15] bnxt_en: Reserve crypto RX and TX key contexts on a PF
2026-06-14 7:23 [PATCH net-next v3 00/15] bnxt_en: Add kTLS TX offload support Michael Chan
` (6 preceding siblings ...)
2026-06-14 7:23 ` [PATCH net-next v3 07/15] bnxt_en: Allocate crypto structure and backing store Michael Chan
@ 2026-06-14 7:24 ` Michael Chan
2026-06-14 7:24 ` [PATCH net-next v3 09/15] bnxt_en: Add infrastructure for crypto key context IDs Michael Chan
` (6 subsequent siblings)
14 siblings, 0 replies; 16+ messages in thread
From: Michael Chan @ 2026-06-14 7:24 UTC (permalink / raw)
To: davem
Cc: netdev, edumazet, kuba, pabeni, andrew+netdev, pavan.chebbi,
andrew.gospodarek
If kTLS crypto offload is supported, reserve RX and TX key contexts.
These keys will later be allocated during run-time to support offloading
TX and RX kTLS connections.
Reviewed-by: Andy Gospodarek <andrew.gospodarek@broadcom.com>
Reviewed-by: Pavan Chebbi <pavan.chebbi@broadcom.com>
Signed-off-by: Michael Chan <michael.chan@broadcom.com>
---
v3:
Add missing ASSETS_TEST flag when checking reserved crypto keys.
v2:
https://lore.kernel.org/netdev/20260512212105.3488258-9-michael.chan@broadcom.com/
---
drivers/net/ethernet/broadcom/bnxt/bnxt.c | 22 +++++++++++--
drivers/net/ethernet/broadcom/bnxt/bnxt.h | 11 +++++++
.../net/ethernet/broadcom/bnxt/bnxt_crypto.c | 32 +++++++++++++++++++
.../net/ethernet/broadcom/bnxt/bnxt_crypto.h | 7 ++++
4 files changed, 70 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
index dd8b3e09fd2d..730af6aee0c8 100644
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
@@ -7785,6 +7785,7 @@ static int bnxt_trim_rings(struct bnxt *bp, int *rx, int *tx, int max,
static int bnxt_hwrm_get_rings(struct bnxt *bp)
{
struct bnxt_hw_resc *hw_resc = &bp->hw_resc;
+ struct bnxt_hw_crypto_resc *crypto_resc;
struct hwrm_func_qcfg_output *resp;
struct hwrm_func_qcfg_input *req;
int rc;
@@ -7845,6 +7846,10 @@ static int bnxt_hwrm_get_rings(struct bnxt *bp)
}
hw_resc->resv_cp_rings = cp;
hw_resc->resv_stat_ctxs = stats;
+
+ crypto_resc = &hw_resc->crypto_resc;
+ crypto_resc->resv_tx_key_ctxs = le32_to_cpu(resp->num_ktls_tx_key_ctxs);
+ crypto_resc->resv_rx_key_ctxs = le32_to_cpu(resp->num_ktls_rx_key_ctxs);
}
get_rings_exit:
hwrm_req_drop(bp, req);
@@ -7915,8 +7920,9 @@ __bnxt_hwrm_reserve_pf_rings(struct bnxt *bp, struct bnxt_hw_rings *hwr)
}
req->num_stat_ctxs = cpu_to_le16(hwr->stat);
req->num_vnics = cpu_to_le16(hwr->vnic);
+ bnxt_hwrm_reserve_pf_key_ctxs(bp, req);
}
- req->enables = cpu_to_le32(enables);
+ req->enables |= cpu_to_le32(enables);
return req;
}
@@ -8318,7 +8324,7 @@ static int bnxt_hwrm_check_vf_rings(struct bnxt *bp, struct bnxt_hw_rings *hwr)
static int bnxt_hwrm_check_pf_rings(struct bnxt *bp, struct bnxt_hw_rings *hwr)
{
struct hwrm_func_cfg_input *req;
- u32 flags;
+ u32 flags, flags2 = 0;
req = __bnxt_hwrm_reserve_pf_rings(bp, hwr);
flags = FUNC_CFG_REQ_FLAGS_TX_ASSETS_TEST;
@@ -8332,9 +8338,14 @@ static int bnxt_hwrm_check_pf_rings(struct bnxt *bp, struct bnxt_hw_rings *hwr)
FUNC_CFG_REQ_FLAGS_NQ_ASSETS_TEST;
else
flags |= FUNC_CFG_REQ_FLAGS_RING_GRP_ASSETS_TEST;
+ if (req->enables &
+ cpu_to_le32(FUNC_CFG_REQ_ENABLES_KTLS_TX_KEY_CTXS |
+ FUNC_CFG_REQ_ENABLES_KTLS_RX_KEY_CTXS))
+ flags2 |= FUNC_CFG_REQ_FLAGS2_KTLS_KEY_CTX_ASSETS_TEST;
}
req->flags = cpu_to_le32(flags);
+ req->flags2 = cpu_to_le32(flags2);
return hwrm_req_send_silent(bp, req);
}
@@ -9748,6 +9759,7 @@ int bnxt_hwrm_func_resc_qcaps(struct bnxt *bp, bool all)
struct hwrm_func_resource_qcaps_output *resp;
struct hwrm_func_resource_qcaps_input *req;
struct bnxt_hw_resc *hw_resc = &bp->hw_resc;
+ struct bnxt_hw_crypto_resc *crypto_resc;
int rc;
rc = hwrm_req_init(bp, req, HWRM_FUNC_RESOURCE_QCAPS);
@@ -9785,6 +9797,12 @@ int bnxt_hwrm_func_resc_qcaps(struct bnxt *bp, bool all)
hw_resc->max_vnics * BNXT_LARGE_RSS_TO_VNIC_RATIO)
bp->rss_cap |= BNXT_RSS_CAP_LARGE_RSS_CTX;
+ crypto_resc = &hw_resc->crypto_resc;
+ crypto_resc->min_tx_key_ctxs = le32_to_cpu(resp->min_ktls_tx_key_ctxs);
+ crypto_resc->max_tx_key_ctxs = le32_to_cpu(resp->max_ktls_tx_key_ctxs);
+ crypto_resc->min_rx_key_ctxs = le32_to_cpu(resp->min_ktls_rx_key_ctxs);
+ crypto_resc->max_rx_key_ctxs = le32_to_cpu(resp->max_ktls_rx_key_ctxs);
+
if (bp->flags & BNXT_FLAG_CHIP_P5_PLUS) {
u16 max_msix = le16_to_cpu(resp->max_msix);
diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.h b/drivers/net/ethernet/broadcom/bnxt/bnxt.h
index 954c679e0290..53fdc45f8020 100644
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.h
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.h
@@ -1362,6 +1362,15 @@ struct bnxt_hw_rings {
int rss_ctx;
};
+struct bnxt_hw_crypto_resc {
+ u32 min_tx_key_ctxs;
+ u32 max_tx_key_ctxs;
+ u32 resv_tx_key_ctxs;
+ u32 min_rx_key_ctxs;
+ u32 max_rx_key_ctxs;
+ u32 resv_rx_key_ctxs;
+};
+
struct bnxt_hw_resc {
u16 min_rsscos_ctxs;
u16 max_rsscos_ctxs;
@@ -1396,6 +1405,8 @@ struct bnxt_hw_resc {
u32 max_tx_wm_flows;
u32 max_rx_em_flows;
u32 max_rx_wm_flows;
+
+ struct bnxt_hw_crypto_resc crypto_resc;
};
#define BNXT_LARGE_RSS_TO_VNIC_RATIO 7
diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_crypto.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_crypto.c
index 0777a26600f5..e1047b4284ea 100644
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_crypto.c
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_crypto.c
@@ -80,3 +80,35 @@ void bnxt_free_crypto_info(struct bnxt *bp)
kfree(bp->crypto_info);
bp->crypto_info = NULL;
}
+
+/**
+ * bnxt_hwrm_reserve_pf_key_ctxs - Reserve key contexts with firmware
+ * @bp: pointer to bnxt device
+ * @req: pointer to HWRM function config request
+ *
+ * Populates the firmware request with key context reservation parameters
+ * for crypto offload based on current max settings and capabilities.
+ *
+ * Context: Process context during device configuration
+ */
+void bnxt_hwrm_reserve_pf_key_ctxs(struct bnxt *bp,
+ struct hwrm_func_cfg_input *req)
+{
+ struct bnxt_crypto_info *crypto = bp->crypto_info;
+ struct bnxt_hw_resc *hw_resc = &bp->hw_resc;
+ struct bnxt_hw_crypto_resc *crypto_resc;
+ u32 tx, rx;
+
+ if (!crypto || !BNXT_SUPPORTS_KTLS(bp))
+ return;
+
+ crypto_resc = &hw_resc->crypto_resc;
+ tx = min(BNXT_TCK(crypto).max_ctx, crypto_resc->max_tx_key_ctxs);
+ rx = min(BNXT_RCK(crypto).max_ctx, crypto_resc->max_rx_key_ctxs);
+ req->num_ktls_tx_key_ctxs = cpu_to_le32(tx);
+ req->num_ktls_rx_key_ctxs = cpu_to_le32(rx);
+ if (tx)
+ req->enables |= cpu_to_le32(FUNC_CFG_REQ_ENABLES_KTLS_TX_KEY_CTXS);
+ if (rx)
+ req->enables |= cpu_to_le32(FUNC_CFG_REQ_ENABLES_KTLS_RX_KEY_CTXS);
+}
diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_crypto.h b/drivers/net/ethernet/broadcom/bnxt/bnxt_crypto.h
index 629388fe1e6d..e090491006db 100644
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_crypto.h
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_crypto.h
@@ -34,6 +34,8 @@ struct bnxt_crypto_info {
void bnxt_alloc_crypto_info(struct bnxt *bp,
struct hwrm_func_qcaps_output *resp);
void bnxt_free_crypto_info(struct bnxt *bp);
+void bnxt_hwrm_reserve_pf_key_ctxs(struct bnxt *bp,
+ struct hwrm_func_cfg_input *req);
#else
static inline void bnxt_alloc_crypto_info(struct bnxt *bp,
struct hwrm_func_qcaps_output *resp)
@@ -43,5 +45,10 @@ static inline void bnxt_alloc_crypto_info(struct bnxt *bp,
static inline void bnxt_free_crypto_info(struct bnxt *bp)
{
}
+
+static inline void bnxt_hwrm_reserve_pf_key_ctxs(struct bnxt *bp,
+ struct hwrm_func_cfg_input *req)
+{
+}
#endif /* CONFIG_BNXT_TLS */
#endif /* BNXT_CRYPTO_H */
--
2.51.0
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [PATCH net-next v3 09/15] bnxt_en: Add infrastructure for crypto key context IDs
2026-06-14 7:23 [PATCH net-next v3 00/15] bnxt_en: Add kTLS TX offload support Michael Chan
` (7 preceding siblings ...)
2026-06-14 7:24 ` [PATCH net-next v3 08/15] bnxt_en: Reserve crypto RX and TX key contexts on a PF Michael Chan
@ 2026-06-14 7:24 ` Michael Chan
2026-06-14 7:24 ` [PATCH net-next v3 10/15] bnxt_en: Add MPC transmit and completion functions Michael Chan
` (5 subsequent siblings)
14 siblings, 0 replies; 16+ messages in thread
From: Michael Chan @ 2026-06-14 7:24 UTC (permalink / raw)
To: davem
Cc: netdev, edumazet, kuba, pabeni, andrew+netdev, pavan.chebbi,
andrew.gospodarek
Each kTLS connection requires a crypto key context ID (KID). These KIDs
are allocated from the firmware in batches. Add data structure to store
these IDs. The bnxt_kid_info structure stores a batch of IDs and it can be
linked as we allocate more batches. There is a bitmap in the structure
to keep track of which ones are in use. Add APIs to allocate and free
these KIDs.
Once allocated, these KIDs are not freed during run-time. They are
re-used for new connections. FW reset or HWRM_FUNC_RESET will free
all KIDs. Call bnxt_clear_crypto() to clear all KIDs in the driver's
structures during these reset events.
Reviewed-by: Andy Gospodarek <andrew.gospodarek@broadcom.com>
Reviewed-by: Pavan Chebbi <pavan.chebbi@broadcom.com>
Signed-off-by: Michael Chan <michael.chan@broadcom.com>
---
v3:
Use a larger (12-bit) epoch value for the keys.
Improve comments, kerneldoc, and dmesg.
Make sure bnxt_clear_crypto() is called during shutdown with the
BNXT_STATE_OPEN flag cleared.
v2:
https://lore.kernel.org/netdev/20260512212105.3488258-10-michael.chan@broadcom.com/
---
drivers/net/ethernet/broadcom/bnxt/bnxt.c | 10 +
.../net/ethernet/broadcom/bnxt/bnxt_crypto.c | 284 ++++++++++++++++++
.../net/ethernet/broadcom/bnxt/bnxt_crypto.h | 66 ++++
3 files changed, 360 insertions(+)
diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
index 730af6aee0c8..6eef518a96b0 100644
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
@@ -12854,6 +12854,8 @@ static int bnxt_hwrm_if_change(struct bnxt *bp, bool up)
bnxt_ulp_irq_stop(bp);
bnxt_free_ctx_mem(bp, false);
bnxt_dcb_free(bp);
+ if (fw_reset || caps_change)
+ bnxt_clear_crypto(bp);
rc = bnxt_fw_init_one(bp);
if (rc) {
clear_bit(BNXT_STATE_FW_RESET_DET, &bp->state);
@@ -14590,6 +14592,7 @@ static void bnxt_fw_reset_close(struct bnxt *bp)
bnxt_hwrm_func_drv_unrgtr(bp);
if (pci_is_enabled(bp->pdev))
pci_disable_device(bp->pdev);
+ bnxt_clear_crypto(bp);
bnxt_free_ctx_mem(bp, false);
}
@@ -17234,6 +17237,12 @@ static int bnxt_init_one(struct pci_dev *pdev, const struct pci_device_id *ent)
rc = bnxt_dl_register(bp);
if (rc)
goto init_err_dl;
+ rc = bnxt_crypto_init(bp);
+ if (rc) {
+ bnxt_free_crypto_info(bp);
+ netdev_warn(bp->dev, "Failed to initialize crypto offload, err = %d\n",
+ rc);
+ }
INIT_LIST_HEAD(&bp->usr_fltr_list);
@@ -17460,6 +17469,7 @@ static pci_ers_result_t bnxt_io_error_detected(struct pci_dev *pdev,
if (pci_is_enabled(pdev))
pci_disable_device(pdev);
+ bnxt_clear_crypto(bp);
bnxt_free_ctx_mem(bp, false);
netdev_unlock(netdev);
diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_crypto.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_crypto.c
index e1047b4284ea..94dfbcc460c7 100644
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_crypto.c
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_crypto.c
@@ -8,6 +8,7 @@
#include <linux/bnxt/hsi.h>
#include "bnxt.h"
+#include "bnxt_hwrm.h"
#include "bnxt_crypto.h"
static u32 bnxt_get_max_crypto_key_ctx(struct bnxt *bp, int key_type)
@@ -55,6 +56,10 @@ void bnxt_alloc_crypto_info(struct bnxt *bp,
for (i = 0; i < BNXT_MAX_CRYPTO_KEY_TYPE; i++) {
kctx = &crypto->kctx[i];
kctx->type = i;
+ INIT_LIST_HEAD(&kctx->list);
+ spin_lock_init(&kctx->lock);
+ atomic_set(&kctx->alloc_pending, 0);
+ init_waitqueue_head(&kctx->alloc_pending_wq);
}
bp->crypto_info = crypto;
}
@@ -66,6 +71,43 @@ void bnxt_alloc_crypto_info(struct bnxt *bp,
bp->fw_cap |= BNXT_FW_CAP_KTLS;
}
+/**
+ * bnxt_clear_crypto - Clear all crypto key contexts
+ * @bp: pointer to bnxt device
+ *
+ * Clears all key context allocations during shutdown or firmware reset.
+ * Frees all key info structures and bitmaps, and increments the epoch
+ * counter to invalidate any outstanding key references.
+ *
+ * This function assumes serialization (called during shutdown) and does
+ * not use locking.
+ *
+ * Context: Process context during shutdown/reset
+ */
+void bnxt_clear_crypto(struct bnxt *bp)
+{
+ struct bnxt_crypto_info *crypto = bp->crypto_info;
+ struct bnxt_kid_info *kid, *tmp;
+ struct bnxt_kctx *kctx;
+ int i;
+
+ if (!crypto)
+ return;
+
+ /* Only called when shutting down or FW reset with BNXT_STATE_OPEN
+ * cleared, so no concurrent access. No protection needed.
+ */
+ for (i = 0; i < BNXT_MAX_CRYPTO_KEY_TYPE; i++) {
+ kctx = &crypto->kctx[i];
+ list_for_each_entry_safe(kid, tmp, &kctx->list, list) {
+ list_del(&kid->list);
+ kfree(kid);
+ }
+ kctx->total_alloc = 0;
+ kctx->epoch++;
+ }
+}
+
/**
* bnxt_free_crypto_info - Free crypto offload resources
* @bp: pointer to bnxt device
@@ -77,6 +119,7 @@ void bnxt_alloc_crypto_info(struct bnxt *bp,
*/
void bnxt_free_crypto_info(struct bnxt *bp)
{
+ bnxt_clear_crypto(bp);
kfree(bp->crypto_info);
bp->crypto_info = NULL;
}
@@ -112,3 +155,244 @@ void bnxt_hwrm_reserve_pf_key_ctxs(struct bnxt *bp,
if (rx)
req->enables |= cpu_to_le32(FUNC_CFG_REQ_ENABLES_KTLS_RX_KEY_CTXS);
}
+
+static int bnxt_key_ctx_store(struct bnxt_kctx *kctx, __le32 *key_buf, u32 num,
+ bool contig, u8 kind, u32 *id)
+{
+ struct bnxt_kid_info *kid;
+ u32 i;
+
+ for (i = 0; i < num; ) {
+ kid = kzalloc_obj(*kid);
+ /* If we cannot store the IDs, they will be lost and only
+ * reclaimed by the FW during reset/reinit.
+ */
+ if (!kid)
+ return -ENOMEM;
+ kid->start_id = le32_to_cpu(key_buf[i]);
+ kid->type = kctx->type;
+ kid->kind = kind;
+ if (contig)
+ kid->count = num;
+ else
+ kid->count = 1;
+ bitmap_set(kid->ids, 0, kid->count);
+ if (id && !i) {
+ clear_bit(0, kid->ids);
+ *id = BNXT_SET_KID(kctx, kid->start_id);
+ }
+ spin_lock(&kctx->lock);
+ list_add_tail_rcu(&kid->list, &kctx->list);
+ WRITE_ONCE(kctx->total_alloc,
+ READ_ONCE(kctx->total_alloc) + kid->count);
+ spin_unlock(&kctx->lock);
+ i += kid->count;
+ }
+ return 0;
+}
+
+/* Note that the driver does not free the key contexts. They are freed
+ * by the FW during FLR and HWRM_FUNC_RESET.
+ */
+static int bnxt_hwrm_key_ctx_alloc(struct bnxt *bp, struct bnxt_kctx *kctx,
+ u8 kind, u32 num, u32 *id)
+{
+ struct bnxt_crypto_info *crypto = bp->crypto_info;
+ struct hwrm_func_key_ctx_alloc_output *resp;
+ struct hwrm_func_key_ctx_alloc_input *req;
+ dma_addr_t mapping;
+ int pending_count;
+ __le32 *key_buf;
+ u32 num_alloc;
+ bool contig;
+ int rc;
+
+ num = min3(num, crypto->max_key_ctxs_alloc, (u32)BNXT_KID_BATCH_SIZE);
+ rc = hwrm_req_init(bp, req, HWRM_FUNC_KEY_CTX_ALLOC);
+ if (rc)
+ return rc;
+
+ key_buf = hwrm_req_dma_slice(bp, req, num * 4, &mapping);
+ if (!key_buf) {
+ rc = -ENOMEM;
+ goto key_alloc_exit;
+ }
+ req->dma_bufr_size_bytes = cpu_to_le32(num * 4);
+ req->host_dma_addr = cpu_to_le64(mapping);
+ resp = hwrm_req_hold(bp, req);
+
+ req->key_ctx_type = kctx->type;
+ req->num_key_ctxs = cpu_to_le16(num);
+
+ pending_count = atomic_inc_return(&kctx->alloc_pending);
+ rc = hwrm_req_send(bp, req);
+ atomic_dec(&kctx->alloc_pending);
+ if (rc)
+ goto key_alloc_exit_wake;
+
+ num_alloc = le16_to_cpu(resp->num_key_ctxs_allocated);
+ if (num_alloc > num) {
+ netdev_warn(bp->dev,
+ "FW allocated more type %d keys (%d) than requested (%d)\n",
+ kctx->type, num_alloc, num);
+ } else if (!num_alloc) {
+ netdev_warn(bp->dev,
+ "FW allocated 0 type %d keys\n", kctx->type);
+ rc = -ENOENT;
+ goto key_alloc_exit_wake;
+ } else {
+ num = num_alloc;
+ }
+ contig = resp->flags &
+ FUNC_KEY_CTX_ALLOC_RESP_FLAGS_KEY_CTXS_CONTIGUOUS;
+ rc = bnxt_key_ctx_store(kctx, key_buf, num, contig, kind, id);
+
+key_alloc_exit_wake:
+ if (pending_count >= BNXT_KCTX_ALLOC_PENDING_MAX)
+ wake_up_all(&kctx->alloc_pending_wq);
+key_alloc_exit:
+ hwrm_req_drop(bp, req);
+ return rc;
+}
+
+bool bnxt_kid_valid(struct bnxt_kctx *kctx, u32 id)
+{
+ struct bnxt_kid_info *kid;
+ bool valid = false;
+ u32 epoch;
+
+ epoch = BNXT_KID_EPOCH(id);
+ if (epoch != kctx->epoch)
+ return false;
+
+ id = BNXT_KID_HW(id);
+ rcu_read_lock();
+ list_for_each_entry_rcu(kid, &kctx->list, list) {
+ if (id >= kid->start_id && id < kid->start_id + kid->count) {
+ if (!test_bit(id - kid->start_id, kid->ids)) {
+ valid = true;
+ break;
+ }
+ }
+ }
+ rcu_read_unlock();
+ return valid;
+}
+
+static int bnxt_alloc_one_kctx(struct bnxt_kctx *kctx, u8 kind, u32 *id)
+{
+ struct bnxt_kid_info *kid;
+ int rc = -ENOMEM;
+
+ rcu_read_lock();
+ list_for_each_entry_rcu(kid, &kctx->list, list) {
+ u32 idx = 0;
+
+ if (kid->kind != kind)
+ continue;
+ do {
+ idx = find_next_bit(kid->ids, kid->count, idx);
+ if (idx >= kid->count)
+ break;
+ if (test_and_clear_bit(idx, kid->ids)) {
+ *id = BNXT_SET_KID(kctx, kid->start_id + idx);
+ rc = 0;
+ goto alloc_done;
+ }
+ } while (1);
+ }
+
+alloc_done:
+ rcu_read_unlock();
+ return rc;
+}
+
+/**
+ * bnxt_free_one_ctx - Free a key context for later re-use
+ * @kctx: pointer to bnxt_kctx key context structure
+ * @id: Key context ID
+ *
+ * This function is called to free a key context ID when the offload
+ * using the ID has successfully terminated or aborted. If the offload
+ * cannot be terminated, the caller should not call this function to free
+ * the ID. The ID will only be recycled by the FW during reset/reinit.
+ */
+void bnxt_free_one_kctx(struct bnxt_kctx *kctx, u32 id)
+{
+ struct bnxt_kid_info *kid;
+
+ id = BNXT_KID_HW(id);
+ rcu_read_lock();
+ list_for_each_entry_rcu(kid, &kctx->list, list) {
+ if (id >= kid->start_id && id < kid->start_id + kid->count) {
+ set_bit(id - kid->start_id, kid->ids);
+ break;
+ }
+ }
+ rcu_read_unlock();
+}
+
+#define BNXT_KCTX_ALLOC_RETRY_MAX 3
+
+int bnxt_key_ctx_alloc_one(struct bnxt *bp, struct bnxt_kctx *kctx, u8 kind,
+ u32 *id)
+{
+ int rc, retry = 0;
+
+ while (retry++ < BNXT_KCTX_ALLOC_RETRY_MAX) {
+ rc = bnxt_alloc_one_kctx(kctx, kind, id);
+ if (!rc)
+ return 0;
+
+ /* When approaching the max, multiple threads may proceed
+ * and exceed the max. Some may fail the serialized HWRM call
+ * later when the max is exceeded.
+ */
+ if ((READ_ONCE(kctx->total_alloc) + BNXT_KID_BATCH_SIZE) >
+ kctx->max_ctx)
+ return -ENOSPC;
+
+ if (!BNXT_KCTX_ALLOC_OK(kctx)) {
+ wait_event(kctx->alloc_pending_wq,
+ BNXT_KCTX_ALLOC_OK(kctx));
+ continue;
+ }
+ rc = bnxt_hwrm_key_ctx_alloc(bp, kctx, kind,
+ BNXT_KID_BATCH_SIZE, id);
+ if (!rc)
+ return 0;
+ }
+ return -EAGAIN;
+}
+
+int bnxt_crypto_init(struct bnxt *bp)
+{
+ struct bnxt_crypto_info *crypto = bp->crypto_info;
+ struct bnxt_hw_resc *hw_resc = &bp->hw_resc;
+ struct bnxt_hw_crypto_resc *crypto_resc;
+ int rc;
+
+ if (!crypto || !BNXT_SUPPORTS_KTLS(bp))
+ return 0;
+
+ crypto_resc = &hw_resc->crypto_resc;
+ BNXT_TCK(crypto).max_ctx = crypto_resc->resv_tx_key_ctxs;
+ BNXT_RCK(crypto).max_ctx = crypto_resc->resv_rx_key_ctxs;
+
+ if (!BNXT_TCK(crypto).max_ctx || !BNXT_RCK(crypto).max_ctx) {
+ bnxt_free_crypto_info(bp);
+ return 0;
+ }
+
+ rc = bnxt_hwrm_key_ctx_alloc(bp, &BNXT_TCK(crypto), BNXT_CTX_KIND_CK_TX,
+ BNXT_KID_BATCH_SIZE, NULL);
+ if (rc)
+ return rc;
+
+ rc = bnxt_hwrm_key_ctx_alloc(bp, &BNXT_RCK(crypto), BNXT_CTX_KIND_CK_RX,
+ BNXT_KID_BATCH_SIZE, NULL);
+ if (rc)
+ return rc;
+
+ return 0;
+}
diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_crypto.h b/drivers/net/ethernet/broadcom/bnxt/bnxt_crypto.h
index e090491006db..c5a5081b31fa 100644
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_crypto.h
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_crypto.h
@@ -16,11 +16,43 @@ enum bnxt_crypto_type {
BNXT_MAX_CRYPTO_KEY_TYPE,
};
+#define BNXT_KID_BATCH_SIZE 128
+
+struct bnxt_kid_info {
+ struct list_head list;
+ u8 type;
+ u8 kind;
+ u32 start_id;
+ u32 count;
+ DECLARE_BITMAP(ids, BNXT_KID_BATCH_SIZE);
+};
+
struct bnxt_kctx {
+ struct list_head list;
+ /* to serialize update to the linked list and total_alloc */
+ spinlock_t lock;
u8 type;
+ u16 epoch;
+ u32 total_alloc;
u32 max_ctx;
+ atomic_t alloc_pending;
+#define BNXT_KCTX_ALLOC_PENDING_MAX 8
+ wait_queue_head_t alloc_pending_wq;
};
+#define BNXT_KID_HW_MASK 0x000fffff
+#define BNXT_KID_HW(kid) ((kid) & BNXT_KID_HW_MASK)
+#define BNXT_KID_EPOCH_MASK 0xfff00000
+#define BNXT_KID_EPOCH_SHIFT 20
+#define BNXT_KID_EPOCH(kid) (((kid) & BNXT_KID_EPOCH_MASK) >> \
+ BNXT_KID_EPOCH_SHIFT)
+
+#define BNXT_SET_KID(kctx, kid) \
+ ((kid) | ((u32)(kctx)->epoch << BNXT_KID_EPOCH_SHIFT))
+
+#define BNXT_KCTX_ALLOC_OK(kctx) \
+ (atomic_read(&((kctx)->alloc_pending)) < BNXT_KCTX_ALLOC_PENDING_MAX)
+
struct bnxt_crypto_info {
u16 max_key_ctxs_alloc;
@@ -30,18 +62,31 @@ struct bnxt_crypto_info {
#define BNXT_TCK(crypto) ((crypto)->kctx[BNXT_TX_CRYPTO_KEY_TYPE])
#define BNXT_RCK(crypto) ((crypto)->kctx[BNXT_RX_CRYPTO_KEY_TYPE])
+#define BNXT_CTX_KIND_CK_TX 0x11
+#define BNXT_CTX_KIND_CK_RX 0x12
+
#ifdef CONFIG_BNXT_TLS
void bnxt_alloc_crypto_info(struct bnxt *bp,
struct hwrm_func_qcaps_output *resp);
+void bnxt_clear_crypto(struct bnxt *bp);
void bnxt_free_crypto_info(struct bnxt *bp);
void bnxt_hwrm_reserve_pf_key_ctxs(struct bnxt *bp,
struct hwrm_func_cfg_input *req);
+bool bnxt_kid_valid(struct bnxt_kctx *kctx, u32 id);
+void bnxt_free_one_kctx(struct bnxt_kctx *kctx, u32 id);
+int bnxt_key_ctx_alloc_one(struct bnxt *bp, struct bnxt_kctx *kctx, u8 kind,
+ u32 *id);
+int bnxt_crypto_init(struct bnxt *bp);
#else
static inline void bnxt_alloc_crypto_info(struct bnxt *bp,
struct hwrm_func_qcaps_output *resp)
{
}
+static inline void bnxt_clear_crypto(struct bnxt *bp)
+{
+}
+
static inline void bnxt_free_crypto_info(struct bnxt *bp)
{
}
@@ -50,5 +95,26 @@ static inline void bnxt_hwrm_reserve_pf_key_ctxs(struct bnxt *bp,
struct hwrm_func_cfg_input *req)
{
}
+
+static inline bool bnxt_kid_valid(struct bnxt_kctx *kctx, u32 id)
+{
+ return false;
+}
+
+static inline void bnxt_free_one_kctx(struct bnxt_kctx *kctx, u32 id)
+{
+}
+
+static inline int bnxt_key_ctx_alloc_one(struct bnxt *bp,
+ struct bnxt_kctx *kctx, u8 kind,
+ u32 *id)
+{
+ return -EOPNOTSUPP;
+}
+
+static inline int bnxt_crypto_init(struct bnxt *bp)
+{
+ return 0;
+}
#endif /* CONFIG_BNXT_TLS */
#endif /* BNXT_CRYPTO_H */
--
2.51.0
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [PATCH net-next v3 10/15] bnxt_en: Add MPC transmit and completion functions
2026-06-14 7:23 [PATCH net-next v3 00/15] bnxt_en: Add kTLS TX offload support Michael Chan
` (8 preceding siblings ...)
2026-06-14 7:24 ` [PATCH net-next v3 09/15] bnxt_en: Add infrastructure for crypto key context IDs Michael Chan
@ 2026-06-14 7:24 ` Michael Chan
2026-06-14 7:24 ` [PATCH net-next v3 11/15] bnxt_en: Add crypto MPC transmit/completion infrastructure Michael Chan
` (4 subsequent siblings)
14 siblings, 0 replies; 16+ messages in thread
From: Michael Chan @ 2026-06-14 7:24 UTC (permalink / raw)
To: davem
Cc: netdev, edumazet, kuba, pabeni, andrew+netdev, pavan.chebbi,
andrew.gospodarek
Add transmit, ring selection, and completion functions for midpath rings.
These will be used to send control data to the crypto engines.
Reviewed-by: Andy Gospodarek <andrew.gospodarek@broadcom.com>
Reviewed-by: Pavan Chebbi <pavan.chebbi@broadcom.com>
Signed-off-by: Michael Chan <michael.chan@broadcom.com>
---
v3:
Use WRITE_ONCE() for TX prod/cons.
v2:
https://lore.kernel.org/netdev/20260512212105.3488258-11-michael.chan@broadcom.com/
Fix unused variable warnings
v1:
https://lore.kernel.org/netdev/20260504235836.3019499-11-michael.chan@broadcom.com/
---
drivers/net/ethernet/broadcom/bnxt/bnxt.c | 3 +
drivers/net/ethernet/broadcom/bnxt/bnxt.h | 2 +
drivers/net/ethernet/broadcom/bnxt/bnxt_mpc.c | 157 ++++++++++++++++++
drivers/net/ethernet/broadcom/bnxt/bnxt_mpc.h | 65 ++++++++
4 files changed, 227 insertions(+)
diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
index 6eef518a96b0..dc8957243cc6 100644
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
@@ -3109,6 +3109,9 @@ static int __bnxt_poll_work(struct bnxt *bp, struct bnxt_cp_ring_info *cpr,
rx_pkts++;
else if (rc == -EBUSY) /* partial completion */
break;
+ } else if (cmp_type == CMP_TYPE_MPC_CMP) {
+ if (bnxt_mpc_cmp(bp, cpr, &raw_cons))
+ break;
} else if (unlikely(cmp_type == CMPL_BASE_TYPE_HWRM_DONE ||
cmp_type == CMPL_BASE_TYPE_HWRM_FWD_REQ ||
cmp_type == CMPL_BASE_TYPE_HWRM_ASYNC_EVENT)) {
diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.h b/drivers/net/ethernet/broadcom/bnxt/bnxt.h
index 53fdc45f8020..7e24949f2238 100644
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.h
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.h
@@ -47,6 +47,7 @@ struct tx_bd {
__le32 tx_bd_len_flags_type;
#define TX_BD_TYPE (0x3f << 0)
#define TX_BD_TYPE_SHORT_TX_BD (0x00 << 0)
+ #define TX_BD_TYPE_MPC_TX_BD (0x08 << 0)
#define TX_BD_TYPE_LONG_TX_BD (0x10 << 0)
#define TX_BD_FLAGS_PACKET_END (1 << 6)
#define TX_BD_FLAGS_NO_CMPL (1 << 7)
@@ -160,6 +161,7 @@ struct tx_cmp {
#define CMP_TYPE_RX_TPA_AGG_CMP 22
#define CMP_TYPE_RX_L2_V3_CMP 23
#define CMP_TYPE_RX_L2_TPA_START_V3_CMP 25
+ #define CMP_TYPE_MPC_CMP 30
#define CMP_TYPE_STATUS_CMP 32
#define CMP_TYPE_REMOTE_DRIVER_REQ 34
#define CMP_TYPE_REMOTE_DRIVER_RESP 36
diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_mpc.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_mpc.c
index cd104b7ff1d7..30f4b3bf181b 100644
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_mpc.c
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_mpc.c
@@ -405,3 +405,160 @@ void bnxt_hwrm_mpc_ring_free(struct bnxt *bp, bool close_path)
}
}
}
+
+struct bnxt_tx_ring_info *bnxt_select_mpc_ring(struct bnxt *bp, int ring_type)
+{
+ struct bnxt_mpc_info *mpc = bp->mpc_info;
+ int n;
+
+ if (!mpc || ring_type >= BNXT_MPC_TYPE_MAX ||
+ !mpc->mpc_ring_count[ring_type])
+ return NULL;
+
+ n = raw_smp_processor_id() % mpc->mpc_ring_count[ring_type];
+ return &mpc->mpc_rings[ring_type][n];
+}
+
+/**
+ * bnxt_start_xmit_mpc - Transmit message on an MPC ring
+ * @bp: pointer to bnxt device
+ * @txr: MPC TX ring structure pointer
+ * @data: MPC message pointer
+ * @len: MPC message length
+ * @handle: Non-zero handle passed back for the completion
+ *
+ * This function is called to transmit an MPC message on an MPC TX ring.
+ * The caller must hold txr->tx_lock. When successful, the HW will return
+ * a completion and bnxt_crypto_mpc_cmp() will be called with the handle
+ * passed back.
+ *
+ * Return: zero on success, negative error code otherwise:
+ * ENODEV: MPC TX ring is shutting down.
+ * EBUSY: MPC TX ring is full
+ */
+int bnxt_start_xmit_mpc(struct bnxt *bp, struct bnxt_tx_ring_info *txr,
+ void *data, unsigned int len, unsigned long handle)
+{
+ u32 bds, total_bds, bd_space, free_size;
+ struct bnxt_sw_mpc_tx_bd *tx_buf;
+ struct tx_bd *txbd;
+ u16 prod;
+
+ if (READ_ONCE(txr->dev_state) == BNXT_DEV_STATE_CLOSING)
+ return -ENODEV;
+
+ bds = DIV_ROUND_UP(len, sizeof(*txbd));
+ total_bds = bds + 1;
+ free_size = bnxt_tx_avail(bp, txr);
+ if (free_size < total_bds)
+ return -EBUSY;
+
+ prod = txr->tx_prod;
+ txbd = &txr->tx_desc_ring[TX_RING(bp, prod)][TX_IDX(prod)];
+ tx_buf = &txr->tx_mpc_buf_ring[RING_TX(bp, prod)];
+ tx_buf->handle = handle;
+ tx_buf->inline_bds = total_bds;
+
+ txbd->tx_bd_len_flags_type =
+ cpu_to_le32((len << TX_BD_LEN_SHIFT) | TX_BD_TYPE_MPC_TX_BD |
+ TX_BD_CNT(total_bds));
+ txbd->tx_bd_opaque = SET_TX_OPAQUE(bp, txr, prod, total_bds);
+
+ prod = NEXT_TX(prod);
+ txbd = &txr->tx_desc_ring[TX_RING(bp, prod)][TX_IDX(prod)];
+ bd_space = TX_DESC_CNT - TX_IDX(prod);
+ if (bd_space < bds) {
+ unsigned int len0 = bd_space * sizeof(*txbd);
+
+ memcpy(txbd, data, len0);
+ prod += bd_space;
+ txbd = &txr->tx_desc_ring[TX_RING(bp, prod)][TX_IDX(prod)];
+ bds -= bd_space;
+ len -= len0;
+ data += len0;
+ }
+ memcpy(txbd, data, len);
+ prod += bds;
+ WRITE_ONCE(txr->tx_prod, prod);
+
+ /* Sync BD data before updating doorbell */
+ wmb();
+ bnxt_db_write(bp, &txr->tx_db, prod);
+
+ return 0;
+}
+
+static bool bnxt_mpc_unsolicit(struct mpc_cmp *mpcmp)
+{
+ u32 client = MPC_CMP_CLIENT_TYPE(mpcmp);
+
+ if (client != MPC_CMP_CLIENT_TCE && client != MPC_CMP_CLIENT_RCE)
+ return false;
+ return MPC_CMP_UNSOLICIT_SUBTYPE(mpcmp);
+}
+
+int bnxt_mpc_cmp(struct bnxt *bp, struct bnxt_cp_ring_info *cpr, u32 *raw_cons)
+{
+ struct bnxt_cmpl_entry cmpl_entry_arr[2];
+ struct bnxt_napi *bnapi = cpr->bnapi;
+ u16 cons = RING_CMP(*raw_cons);
+ struct mpc_cmp *mpcmp, *mpcmp1;
+ u32 tmp_raw_cons = *raw_cons;
+ u32 client, cmpl_num;
+ u8 type;
+
+ mpcmp = (struct mpc_cmp *)
+ &cpr->cp_desc_ring[CP_RING(cons)][CP_IDX(cons)];
+ type = MPC_CMP_CMP_TYPE(mpcmp);
+ cmpl_entry_arr[0].cmpl = mpcmp;
+ cmpl_entry_arr[0].len = sizeof(*mpcmp);
+ cmpl_num = 1;
+ if (type == MPC_CMP_TYPE_MID_PATH_LONG) {
+ tmp_raw_cons = NEXT_RAW_CMP(tmp_raw_cons);
+ cons = RING_CMP(tmp_raw_cons);
+ mpcmp1 = (struct mpc_cmp *)
+ &cpr->cp_desc_ring[CP_RING(cons)][CP_IDX(cons)];
+
+ if (!MPC_CMP_VALID(bp, mpcmp1, tmp_raw_cons))
+ return -EBUSY;
+ /* The valid test of the entry must be done first before
+ * reading any further.
+ */
+ dma_rmb();
+ if (mpcmp1 == mpcmp + 1) {
+ cmpl_entry_arr[cmpl_num - 1].len += sizeof(*mpcmp1);
+ } else {
+ cmpl_entry_arr[cmpl_num].cmpl = mpcmp1;
+ cmpl_entry_arr[cmpl_num].len = sizeof(*mpcmp1);
+ cmpl_num++;
+ }
+ }
+ client = MPC_CMP_CLIENT_TYPE(mpcmp) >> MPC_CMP_CLIENT_SFT;
+ if (client >= BNXT_MPC_TYPE_MAX)
+ goto cmp_done;
+
+ if (!bnxt_mpc_unsolicit(mpcmp)) {
+ struct bnxt_sw_mpc_tx_bd *mpc_buf;
+ struct bnxt_tx_ring_info *txr;
+ u16 tx_cons;
+ u32 opaque;
+
+ opaque = mpcmp->mpc_cmp_opaque;
+ txr = bnapi->tx_mpc_ring[client];
+ tx_cons = txr->tx_cons;
+ if (TX_OPAQUE_RING(opaque) != txr->tx_napi_idx) {
+ netdev_warn(bp->dev, "Wrong opaque %x, expected ring %x, cons idx %x\n",
+ opaque, txr->tx_napi_idx, txr->tx_cons);
+ goto cmp_done;
+ }
+ mpc_buf = &txr->tx_mpc_buf_ring[RING_TX(bp, tx_cons)];
+ mpc_buf->handle = 0;
+ tx_cons += mpc_buf->inline_bds;
+ WRITE_ONCE(txr->tx_cons, tx_cons);
+ txr->tx_hw_cons = RING_TX(bp, tx_cons);
+ }
+
+cmp_done:
+ *raw_cons = tmp_raw_cons;
+ return 0;
+}
diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_mpc.h b/drivers/net/ethernet/broadcom/bnxt/bnxt_mpc.h
index cdc03a074963..aa7f2666f0ca 100644
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_mpc.h
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_mpc.h
@@ -30,11 +30,53 @@ struct bnxt_mpc_info {
};
struct bnxt_sw_mpc_tx_bd {
+ u8 inline_bds;
unsigned long handle;
};
#define SW_MPC_TXBD_RING_SIZE (sizeof(struct bnxt_sw_mpc_tx_bd) * TX_DESC_CNT)
+struct bnxt_cmpl_entry {
+ void *cmpl;
+ u32 len;
+};
+
+struct mpc_cmp {
+ __le32 mpc_cmp_client_subtype_type;
+ #define MPC_CMP_TYPE (0x3f << 0)
+ #define MPC_CMP_TYPE_MID_PATH_SHORT 0x1e
+ #define MPC_CMP_TYPE_MID_PATH_LONG 0x1f
+ #define MPC_CMP_SUBTYPE 0xf00
+ #define MPC_CMP_SUBTYPE_SFT 8
+ #define MPC_CMP_SUBTYPE_SOLICITED (0x0 << 8)
+ #define MPC_CMP_SUBTYPE_ERR (0x1 << 8)
+ #define MPC_CMP_SUBTYPE_RESYNC (0x2 << 8)
+ #define MPC_CMP_CLIENT (0xf << 12)
+ #define MPC_CMP_CLIENT_SFT 12
+ #define MPC_CMP_CLIENT_TCE (0x0 << 12)
+ #define MPC_CMP_CLIENT_RCE (0x1 << 12)
+ #define MPC_CMP_CLIENT_TE_CFA (0x2 << 12)
+ #define MPC_CMP_CLIENT_RE_CFA (0x3 << 12)
+ u32 mpc_cmp_opaque;
+ __le32 mpc_cmp_v;
+ #define MPC_CMP_V (1 << 0)
+ __le32 mpc_cmp_filler;
+};
+
+#define MPC_CMP_CMP_TYPE(mpcmp) \
+ (le32_to_cpu((mpcmp)->mpc_cmp_client_subtype_type) & MPC_CMP_TYPE)
+
+#define MPC_CMP_CLIENT_TYPE(mpcmp) \
+ (le32_to_cpu((mpcmp)->mpc_cmp_client_subtype_type) & MPC_CMP_CLIENT)
+
+#define MPC_CMP_UNSOLICIT_SUBTYPE(mpcmp) \
+ ((le32_to_cpu((mpcmp)->mpc_cmp_client_subtype_type) & \
+ MPC_CMP_SUBTYPE) != MPC_CMP_SUBTYPE_SOLICITED)
+
+#define MPC_CMP_VALID(bp, mpcmp, raw_cons) \
+ (!!((mpcmp)->mpc_cmp_v & cpu_to_le32(MPC_CMP_V)) == \
+ !((raw_cons) & (bp)->cp_bit))
+
#define BNXT_MPC_CRYPTO_CAP \
(FUNC_QCAPS_RESP_MPC_CHNLS_CAP_TCE | FUNC_QCAPS_RESP_MPC_CHNLS_CAP_RCE)
@@ -61,6 +103,10 @@ void bnxt_free_mpc_rings(struct bnxt *bp);
void bnxt_init_mpc_rings(struct bnxt *bp);
int bnxt_hwrm_mpc_ring_alloc(struct bnxt *bp);
void bnxt_hwrm_mpc_ring_free(struct bnxt *bp, bool close_path);
+struct bnxt_tx_ring_info *bnxt_select_mpc_ring(struct bnxt *bp, int ring_type);
+int bnxt_start_xmit_mpc(struct bnxt *bp, struct bnxt_tx_ring_info *txr,
+ void *data, unsigned int len, unsigned long handle);
+int bnxt_mpc_cmp(struct bnxt *bp, struct bnxt_cp_ring_info *cpr, u32 *raw_cons);
#else
static inline void bnxt_alloc_mpc_info(struct bnxt *bp, u8 mpc_chnls_cap)
{
@@ -132,5 +178,24 @@ static inline int bnxt_hwrm_mpc_ring_alloc(struct bnxt *bp)
static inline void bnxt_hwrm_mpc_ring_free(struct bnxt *bp, bool close_path)
{
}
+
+static inline struct bnxt_tx_ring_info *bnxt_select_mpc_ring(struct bnxt *bp,
+ int ring_type)
+{
+ return NULL;
+}
+
+static inline int bnxt_start_xmit_mpc(struct bnxt *bp,
+ struct bnxt_tx_ring_info *txr, void *data,
+ unsigned int len, unsigned long handle)
+{
+ return -EOPNOTSUPP;
+}
+
+static inline int bnxt_mpc_cmp(struct bnxt *bp, struct bnxt_cp_ring_info *cpr,
+ u32 *raw_cons)
+{
+ return 0;
+}
#endif /* CONFIG_BNXT_TLS */
#endif /* BNXT_MPC_H */
--
2.51.0
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [PATCH net-next v3 11/15] bnxt_en: Add crypto MPC transmit/completion infrastructure
2026-06-14 7:23 [PATCH net-next v3 00/15] bnxt_en: Add kTLS TX offload support Michael Chan
` (9 preceding siblings ...)
2026-06-14 7:24 ` [PATCH net-next v3 10/15] bnxt_en: Add MPC transmit and completion functions Michael Chan
@ 2026-06-14 7:24 ` Michael Chan
2026-06-14 7:24 ` [PATCH net-next v3 12/15] bnxt_en: Support kTLS TX offload by implementing .tls_dev_add/del() Michael Chan
` (3 subsequent siblings)
14 siblings, 0 replies; 16+ messages in thread
From: Michael Chan @ 2026-06-14 7:24 UTC (permalink / raw)
To: davem
Cc: netdev, edumazet, kuba, pabeni, andrew+netdev, pavan.chebbi,
andrew.gospodarek
Add infrastructure to support sending crypto commands using the
midpath channels (MPCs). bnxt_xmit_crypto_cmd() is used to send a
crypto command and sleep with timeout until the completion is received.
If it times out, we recover by resetting the MPC. The next patch will
use this infrastructure to offload kTLS connections.
Reviewed-by: Andy Gospodarek <andrew.gospodarek@broadcom.com>
Reviewed-by: Pavan Chebbi <pavan.chebbi@broadcom.com>
Signed-off-by: Michael Chan <michael.chan@broadcom.com>
---
v3:
Multiple improvements for the MPC timeout logic, including the use of
refcount to terminate the timeout instead of the arbitrary 200msec poll
wait, add synchronize_net().
v2:
https://lore.kernel.org/netdev/20260512212105.3488258-12-michael.chan@broadcom.com/
---
drivers/net/ethernet/broadcom/bnxt/bnxt.c | 4 +-
drivers/net/ethernet/broadcom/bnxt/bnxt.h | 2 +
.../net/ethernet/broadcom/bnxt/bnxt_crypto.c | 138 +++++++++++++++-
.../net/ethernet/broadcom/bnxt/bnxt_crypto.h | 95 +++++++++++
drivers/net/ethernet/broadcom/bnxt/bnxt_mpc.c | 153 ++++++++++++++++++
drivers/net/ethernet/broadcom/bnxt/bnxt_mpc.h | 9 ++
6 files changed, 398 insertions(+), 3 deletions(-)
diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
index dc8957243cc6..6779fd993184 100644
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
@@ -7714,7 +7714,7 @@ void bnxt_hwrm_cp_ring_free(struct bnxt *bp, struct bnxt_cp_ring_info *cpr)
ring->fw_ring_id = INVALID_HW_RING_ID;
}
-static void bnxt_clear_one_cp_ring(struct bnxt *bp, struct bnxt_cp_ring_info *cpr)
+void bnxt_clear_one_cp_ring(struct bnxt *bp, struct bnxt_cp_ring_info *cpr)
{
struct bnxt_ring_struct *ring = &cpr->cp_ring_struct;
int i, size = ring->ring_mem.page_size;
@@ -14378,7 +14378,7 @@ static int bnxt_hwrm_rx_ring_reset(struct bnxt *bp, int ring_nr)
return hwrm_req_send_silent(bp, req);
}
-static void bnxt_reset_task(struct bnxt *bp, bool silent)
+void bnxt_reset_task(struct bnxt *bp, bool silent)
{
if (!silent)
bnxt_dbg_dump_states(bp);
diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.h b/drivers/net/ethernet/broadcom/bnxt/bnxt.h
index 7e24949f2238..e91c9f27cd99 100644
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.h
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.h
@@ -3020,6 +3020,7 @@ int bnxt_hwrm_tx_ring_alloc(struct bnxt *bp, struct bnxt_tx_ring_info *txr,
void bnxt_hwrm_tx_ring_free(struct bnxt *bp, struct bnxt_tx_ring_info *txr,
bool close_path);
void bnxt_hwrm_cp_ring_free(struct bnxt *bp, struct bnxt_cp_ring_info *cpr);
+void bnxt_clear_one_cp_ring(struct bnxt *bp, struct bnxt_cp_ring_info *cpr);
int bnxt_total_tx_rings(struct bnxt *bp);
int __bnxt_hwrm_get_tx_rings(struct bnxt *bp, u16 fid, int *tx_rings);
int bnxt_nq_rings_in_use(struct bnxt *bp);
@@ -3065,6 +3066,7 @@ void bnxt_get_ring_drv_stats(struct bnxt *bp,
bool bnxt_rfs_capable(struct bnxt *bp, bool new_rss_ctx);
int bnxt_dbg_hwrm_rd_reg(struct bnxt *bp, u32 reg_off, u16 num_words,
u32 *reg_buf);
+void bnxt_reset_task(struct bnxt *bp, bool silent);
void bnxt_fw_exception(struct bnxt *bp);
void bnxt_fw_reset(struct bnxt *bp);
int bnxt_check_rings(struct bnxt *bp, int tx, int rx, bool sh, int tcs,
diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_crypto.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_crypto.c
index 94dfbcc460c7..49f192c1ddbb 100644
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_crypto.c
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_crypto.c
@@ -5,10 +5,12 @@
#include <linux/types.h>
#include <linux/kernel.h>
#include <linux/slab.h>
+#include <linux/pci.h>
#include <linux/bnxt/hsi.h>
#include "bnxt.h"
#include "bnxt_hwrm.h"
+#include "bnxt_mpc.h"
#include "bnxt_crypto.h"
static u32 bnxt_get_max_crypto_key_ctx(struct bnxt *bp, int key_type)
@@ -42,6 +44,7 @@ void bnxt_alloc_crypto_info(struct bnxt *bp,
u16 max_keys = le16_to_cpu(resp->max_key_ctxs_alloc);
struct bnxt_crypto_info *crypto = bp->crypto_info;
struct bnxt_kctx *kctx;
+ char name[64];
int i;
if (BNXT_VF(bp))
@@ -53,6 +56,15 @@ void bnxt_alloc_crypto_info(struct bnxt *bp,
"Unable to allocate crypto info\n");
return;
}
+ snprintf(name, sizeof(name), "bnxt_crypto-%s",
+ dev_name(&bp->pdev->dev));
+ crypto->mpc_cache =
+ kmem_cache_create(name,
+ sizeof(struct bnxt_crypto_cmd_ctx),
+ 0, SLAB_HWCACHE_ALIGN, NULL);
+ if (!crypto->mpc_cache)
+ goto alloc_err;
+
for (i = 0; i < BNXT_MAX_CRYPTO_KEY_TYPE; i++) {
kctx = &crypto->kctx[i];
kctx->type = i;
@@ -69,6 +81,10 @@ void bnxt_alloc_crypto_info(struct bnxt *bp,
}
crypto->max_key_ctxs_alloc = max_keys;
bp->fw_cap |= BNXT_FW_CAP_KTLS;
+ return;
+
+alloc_err:
+ kfree(crypto);
}
/**
@@ -119,8 +135,13 @@ void bnxt_clear_crypto(struct bnxt *bp)
*/
void bnxt_free_crypto_info(struct bnxt *bp)
{
+ struct bnxt_crypto_info *crypto = bp->crypto_info;
+
+ if (!crypto)
+ return;
bnxt_clear_crypto(bp);
- kfree(bp->crypto_info);
+ kmem_cache_destroy(crypto->mpc_cache);
+ kfree(crypto);
bp->crypto_info = NULL;
}
@@ -365,6 +386,82 @@ int bnxt_key_ctx_alloc_one(struct bnxt *bp, struct bnxt_kctx *kctx, u8 kind,
return -EAGAIN;
}
+#define BNXT_XMIT_CRYPTO_RETRY_MAX 10
+#define BNXT_XMIT_CRYPTO_MIN_TMO 100
+#define BNXT_XMIT_CRYPTO_MAX_TMO 150
+
+int bnxt_xmit_crypto_cmd(struct bnxt *bp, struct bnxt_tx_ring_info *txr,
+ void *cmd, unsigned int len, unsigned int tmo)
+{
+ struct bnxt_crypto_info *crypto = bp->crypto_info;
+ struct bnxt_crypto_cmd_ctx *ctx = NULL;
+ unsigned long tmo_left, handle = 0;
+ int rc, retry = 0;
+
+ if (tmo) {
+ u32 kid = CE_CMD_KID(cmd);
+
+ ctx = kmem_cache_alloc(crypto->mpc_cache, GFP_KERNEL);
+ if (!ctx)
+ return -ENOMEM;
+ init_completion(&ctx->cmp);
+ handle = (unsigned long)ctx;
+ ctx->kid = kid;
+ ctx->client = txr->tx_ring_struct.mpc_chnl_type;
+ ctx->status = 0;
+ /* One reference for this caller, one for the handle stored in
+ * the TX buf ring. The latter is dropped by
+ * bnxt_crypto_mpc_cmp() when the command is completed normally
+ * or after timeout.
+ */
+ refcount_set(&ctx->refcnt, 2);
+ retry = BNXT_XMIT_CRYPTO_RETRY_MAX;
+ might_sleep();
+ }
+ do {
+ spin_lock_bh(&txr->tx_lock);
+ rc = bnxt_start_xmit_mpc(bp, txr, cmd, len, handle);
+ spin_unlock_bh(&txr->tx_lock);
+ if (rc == -EBUSY && tmo && retry)
+ usleep_range(BNXT_XMIT_CRYPTO_MIN_TMO,
+ BNXT_XMIT_CRYPTO_MAX_TMO);
+ else
+ break;
+ } while (retry--);
+ if (rc || !tmo) {
+ /* The completion will never arrive, drop one reference */
+ if (ctx)
+ refcount_dec(&ctx->refcnt);
+ goto xmit_done;
+ }
+
+ tmo_left = wait_for_completion_timeout(&ctx->cmp, msecs_to_jiffies(tmo));
+ if (!tmo_left) {
+ netdev_warn(bp->dev, "crypto MP cmd %08x timed out\n",
+ *((u32 *)cmd));
+ bnxt_mpc_timeout(bp, txr);
+ rc = -ETIMEDOUT;
+ goto xmit_done;
+ }
+ if (ctx->status == BNXT_CMD_CTX_COMPLETED &&
+ CE_CMPL_STATUS(&ctx->ce_cmp) == CE_CMPL_STATUS_OK)
+ rc = 0;
+ else
+ rc = -EIO;
+xmit_done:
+ if (rc) {
+ u8 status = ctx ? ctx->status : 0;
+
+ netdev_warn(bp->dev,
+ "MPC transmit failed, ring idx %d, op 0x%x, kid 0x%x, status 0x%x\n",
+ txr->bnapi->index, CE_CMD_OP(cmd), CE_CMD_KID(cmd),
+ status);
+ }
+ if (ctx && refcount_dec_and_test(&ctx->refcnt))
+ kmem_cache_free(crypto->mpc_cache, ctx);
+ return rc;
+}
+
int bnxt_crypto_init(struct bnxt *bp)
{
struct bnxt_crypto_info *crypto = bp->crypto_info;
@@ -396,3 +493,42 @@ int bnxt_crypto_init(struct bnxt *bp)
return 0;
}
+
+void bnxt_crypto_mpc_cmp(struct bnxt *bp, u32 client, unsigned long handle,
+ struct bnxt_cmpl_entry cmpl[], u32 entries)
+{
+ struct bnxt_crypto_cmd_ctx *ctx;
+ struct ce_cmpl *cmp = NULL;
+ u32 len, kid;
+
+ if (likely(cmpl))
+ cmp = cmpl[0].cmpl;
+ if (!handle || entries != 1) {
+ if (entries != 1 && cmpl) {
+ netdev_warn(bp->dev, "Invalid entries %d with handle %lx cmpl %08x in %s()\n",
+ entries, handle, *(u32 *)cmp, __func__);
+ }
+ if (!handle)
+ return;
+ }
+ ctx = (void *)handle;
+ ctx->status = BNXT_CMD_CTX_COMPLETED;
+ if (unlikely(!cmpl)) {
+ ctx->status |= BNXT_CMD_CTX_RESET;
+ goto cmp_done;
+ }
+ kid = CE_CMPL_KID(cmp);
+ if (ctx->kid != kid || ctx->client != client || entries != 1) {
+ netdev_warn(bp->dev,
+ "Invalid CE cmpl 0x%08x with entries %d for client %d with status 0x%x, expected kid 0x%x and client %d\n",
+ *(u32 *)cmp, entries, client, ctx->status, ctx->kid,
+ ctx->client);
+ ctx->status |= BNXT_CMD_CTX_ERROR;
+ }
+ len = min_t(u32, cmpl[0].len, sizeof(ctx->ce_cmp));
+ memcpy(&ctx->ce_cmp, cmpl[0].cmpl, len);
+cmp_done:
+ complete(&ctx->cmp);
+ if (refcount_dec_and_test(&ctx->refcnt))
+ kmem_cache_free(bp->crypto_info->mpc_cache, ctx);
+}
diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_crypto.h b/drivers/net/ethernet/broadcom/bnxt/bnxt_crypto.h
index c5a5081b31fa..e873994fb098 100644
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_crypto.h
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_crypto.h
@@ -4,6 +4,8 @@
#ifndef BNXT_CRYPTO_H
#define BNXT_CRYPTO_H
+#include <linux/refcount.h>
+
#define BNXT_MAX_TX_CRYPTO_KEYS 204800
#define BNXT_MAX_RX_CRYPTO_KEYS 204800
@@ -57,6 +59,80 @@ struct bnxt_crypto_info {
u16 max_key_ctxs_alloc;
struct bnxt_kctx kctx[BNXT_MAX_CRYPTO_KEY_TYPE];
+
+ struct kmem_cache *mpc_cache;
+};
+
+struct ce_delete_cmd {
+ __le32 ctx_kind_kid_opcode;
+ #define CE_DELETE_CMD_OPCODE_MASK 0xfUL
+ #define CE_DELETE_CMD_OPCODE_SFT 0
+ #define CE_DELETE_CMD_OPCODE_DEL 0x2UL
+ #define CE_DELETE_CMD_KID_MASK 0xfffff0UL
+ #define CE_DELETE_CMD_KID_SFT 4
+ #define CE_DELETE_CMD_CTX_KIND_MASK 0x1f000000UL
+ #define CE_DELETE_CMD_CTX_KIND_SFT 24
+ #define CE_DELETE_CMD_CTX_KIND_CK_TX (0x11UL << 24)
+ #define CE_DELETE_CMD_CTX_KIND_CK_RX (0x12UL << 24)
+};
+
+#define CE_CMD_OP_MASK 0x00000fU
+#define CE_CMD_KID_MASK 0xfffff0U
+#define CE_CMD_KID_SFT 4
+
+#define CE_CMD_OP(cmd_p) \
+ (le32_to_cpu(*(__le32 *)(cmd_p)) & CE_CMD_OP_MASK)
+
+#define CE_CMD_KID(cmd_p) \
+ ((le32_to_cpu(*(__le32 *)(cmd_p)) & CE_CMD_KID_MASK) >> CE_CMD_KID_SFT)
+
+struct ce_cmpl {
+ __le16 client_subtype_type;
+ #define CE_CMPL_TYPE_MASK 0x3fUL
+ #define CE_CMPL_TYPE_SFT 0
+ #define CE_CMPL_TYPE_MID_PATH_SHORT 0x1eUL
+ #define CE_CMPL_SUBTYPE_MASK 0xf00UL
+ #define CE_CMPL_SUBTYPE_SFT 8
+ #define CE_CMPL_SUBTYPE_SOLICITED (0x0UL << 8)
+ #define CE_CMPL_SUBTYPE_ERR (0x1UL << 8)
+ #define CE_CMPL_SUBTYPE_RESYNC (0x2UL << 8)
+ #define CE_CMPL_MP_CLIENT_MASK 0xf000UL
+ #define CE_CMPL_MP_CLIENT_SFT 12
+ #define CE_CMPL_MP_CLIENT_TCE (0x0UL << 12)
+ #define CE_CMPL_MP_CLIENT_RCE (0x1UL << 12)
+ __le16 status;
+ #define CE_CMPL_STATUS_MASK 0xfUL
+ #define CE_CMPL_STATUS_SFT 0
+ #define CE_CMPL_STATUS_OK 0x0UL
+ #define CE_CMPL_STATUS_CTX_LD_ERR 0x1UL
+ #define CE_CMPL_STATUS_FID_CHK_ERR 0x2UL
+ #define CE_CMPL_STATUS_CTX_VER_ERR 0x3UL
+ #define CE_CMPL_STATUS_DST_ID_ERR 0x4UL
+ #define CE_CMPL_STATUS_MP_CMD_ERR 0x5UL
+ u32 opaque;
+ __le32 v;
+ #define CE_CMPL_V 0x1UL
+ __le32 kid;
+ #define CE_CMPL_KID_MASK 0xfffffUL
+ #define CE_CMPL_KID_SFT 0
+};
+
+#define CE_CMPL_STATUS(ce_cmpl) \
+ (le16_to_cpu((ce_cmpl)->status) & CE_CMPL_STATUS_MASK)
+
+#define CE_CMPL_KID(ce_cmpl) \
+ (le32_to_cpu((ce_cmpl)->kid) & CE_CMPL_KID_MASK)
+
+struct bnxt_crypto_cmd_ctx {
+ struct completion cmp;
+ struct ce_cmpl ce_cmp;
+ refcount_t refcnt;
+ u32 kid;
+ u16 client;
+ u8 status;
+#define BNXT_CMD_CTX_COMPLETED 0x1
+#define BNXT_CMD_CTX_ERROR 0x2
+#define BNXT_CMD_CTX_RESET 0x4
};
#define BNXT_TCK(crypto) ((crypto)->kctx[BNXT_TX_CRYPTO_KEY_TYPE])
@@ -76,7 +152,11 @@ bool bnxt_kid_valid(struct bnxt_kctx *kctx, u32 id);
void bnxt_free_one_kctx(struct bnxt_kctx *kctx, u32 id);
int bnxt_key_ctx_alloc_one(struct bnxt *bp, struct bnxt_kctx *kctx, u8 kind,
u32 *id);
+int bnxt_xmit_crypto_cmd(struct bnxt *bp, struct bnxt_tx_ring_info *txr,
+ void *cmd, unsigned int len, unsigned int tmo);
int bnxt_crypto_init(struct bnxt *bp);
+void bnxt_crypto_mpc_cmp(struct bnxt *bp, u32 client, unsigned long handle,
+ struct bnxt_cmpl_entry cmpl[], u32 entries);
#else
static inline void bnxt_alloc_crypto_info(struct bnxt *bp,
struct hwrm_func_qcaps_output *resp)
@@ -112,9 +192,24 @@ static inline int bnxt_key_ctx_alloc_one(struct bnxt *bp,
return -EOPNOTSUPP;
}
+static inline int bnxt_xmit_crypto_cmd(struct bnxt *bp,
+ struct bnxt_tx_ring_info *txr,
+ void *cmd, unsigned int len,
+ unsigned int tmo)
+{
+ return -EOPNOTSUPP;
+}
+
static inline int bnxt_crypto_init(struct bnxt *bp)
{
return 0;
}
+
+static inline void bnxt_crypto_mpc_cmp(struct bnxt *bp, u32 client,
+ unsigned long handle,
+ struct bnxt_cmpl_entry cmpl[],
+ u32 entries)
+{
+}
#endif /* CONFIG_BNXT_TLS */
#endif /* BNXT_CRYPTO_H */
diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_mpc.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_mpc.c
index 30f4b3bf181b..31a0a4c1ccfa 100644
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_mpc.c
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_mpc.c
@@ -9,6 +9,7 @@
#include "bnxt.h"
#include "bnxt_mpc.h"
+#include "bnxt_crypto.h"
void bnxt_alloc_mpc_info(struct bnxt *bp, u8 mpc_chnls_cap)
{
@@ -488,6 +489,154 @@ int bnxt_start_xmit_mpc(struct bnxt *bp, struct bnxt_tx_ring_info *txr,
return 0;
}
+/* Returns true if the ring is successfully marked as closing. */
+static bool bnxt_disable_mpc_ring(struct bnxt_mpc_info *mpc, int mpc_ring)
+{
+ struct bnxt_tx_ring_info *txr;
+ bool disabled = false;
+ int i;
+
+ for (i = 0; i < BNXT_MPC_TYPE_MAX; i++) {
+ if (mpc_ring >= mpc->mpc_ring_count[i])
+ continue;
+ txr = &mpc->mpc_rings[i][mpc_ring];
+ spin_lock_bh(&txr->tx_lock);
+ if (!READ_ONCE(txr->dev_state)) {
+ disabled = true;
+ WRITE_ONCE(txr->dev_state, BNXT_DEV_STATE_CLOSING);
+ }
+ spin_unlock_bh(&txr->tx_lock);
+ if (!disabled)
+ break;
+ }
+ /* Make sure napi polls see @dev_state change */
+ if (disabled)
+ synchronize_net();
+ return disabled;
+}
+
+static void bnxt_enable_mpc_ring(struct bnxt_mpc_info *mpc, int mpc_ring)
+{
+ struct bnxt_tx_ring_info *txr;
+ int i;
+
+ for (i = 0; i < BNXT_MPC_TYPE_MAX; i++) {
+ if (mpc_ring >= mpc->mpc_ring_count[i])
+ continue;
+ txr = &mpc->mpc_rings[i][mpc_ring];
+ WRITE_ONCE(txr->dev_state, 0);
+ }
+}
+
+static void bnxt_clear_one_mpc_entries(struct bnxt *bp,
+ struct bnxt_tx_ring_info *txr)
+{
+ struct bnxt_sw_mpc_tx_bd *tx_buf;
+ unsigned long handle;
+ int i, max_idx;
+ u32 client;
+
+ max_idx = bp->tx_nr_pages * TX_DESC_CNT;
+
+ for (i = 0; i < max_idx; i++) {
+ tx_buf = &txr->tx_mpc_buf_ring[i];
+ handle = tx_buf->handle;
+ if (handle) {
+ client = txr->tx_ring_struct.mpc_chnl_type;
+ bnxt_crypto_mpc_cmp(bp, client, handle, NULL, 0);
+ tx_buf->handle = 0;
+ }
+ }
+}
+
+static void bnxt_mpc_ring_stop(struct bnxt *bp, struct bnxt_mpc_info *mpc,
+ int mpc_ring)
+{
+ struct bnxt_tx_ring_info *txr;
+ struct bnxt_cp_ring_info *cpr;
+ int i;
+
+ for (i = 0; i < BNXT_MPC_TYPE_MAX; i++) {
+ if (mpc->mpc_ring_count[i] > mpc_ring) {
+ txr = &mpc->mpc_rings[i][mpc_ring];
+ bnxt_hwrm_tx_ring_free(bp, txr, true);
+ }
+ }
+ /* CP rings must be freed at the end to guarantee that the HWRM_DONE
+ * responses for HWRM_RING_FREE can still be seen on the CP rings.
+ */
+ for (i = 0; i < BNXT_MPC_TYPE_MAX; i++) {
+ if (mpc->mpc_ring_count[i] > mpc_ring) {
+ txr = &mpc->mpc_rings[i][mpc_ring];
+ cpr = txr->tx_cpr;
+ if (cpr) {
+ bnxt_hwrm_cp_ring_free(bp, cpr);
+ bnxt_clear_one_cp_ring(bp, cpr);
+ }
+ bnxt_clear_one_mpc_entries(bp, txr);
+ }
+ }
+}
+
+static int bnxt_mpc_ring_start(struct bnxt *bp, struct bnxt_mpc_info *mpc,
+ int mpc_ring)
+{
+ struct bnxt_tx_ring_info *txr;
+ int i, rc;
+
+ for (i = 0; i < BNXT_MPC_TYPE_MAX; i++) {
+ if (mpc->mpc_ring_count[i] > mpc_ring) {
+ txr = &mpc->mpc_rings[i][mpc_ring];
+ txr->tx_prod = 0;
+ txr->tx_cons = 0;
+ txr->tx_hw_cons = 0;
+ rc = bnxt_hwrm_one_mpc_ring_alloc(bp, txr);
+ if (rc)
+ return rc;
+ }
+ }
+ return 0;
+}
+
+static int bnxt_mpc_ring_reset(struct bnxt *bp, int mpc_ring)
+{
+ struct bnxt_mpc_info *mpc = bp->mpc_info;
+ int rc;
+
+ if (!mpc)
+ return 0;
+ if (mpc_ring >= mpc->mpc_cp_rings)
+ return -EINVAL;
+
+ if (!bnxt_disable_mpc_ring(mpc, mpc_ring))
+ return 0;
+
+ netdev_warn(bp->dev, "Resetting MPC ring %d\n", mpc_ring);
+ netdev_lock(bp->dev);
+ bnxt_mpc_ring_stop(bp, mpc, mpc_ring);
+
+ rc = bnxt_mpc_ring_start(bp, mpc, mpc_ring);
+ if (rc) {
+ netdev_err(bp->dev, "Error starting MPC ring %d, rc: %d, resetting device\n",
+ mpc_ring, rc);
+ bnxt_mpc_ring_stop(bp, mpc, mpc_ring);
+ bnxt_reset_task(bp, true);
+ netdev_unlock(bp->dev);
+ /* Return here as bnxt_reset_task() will clear everything */
+ return rc;
+ }
+ netdev_unlock(bp->dev);
+ bnxt_enable_mpc_ring(mpc, mpc_ring);
+ return 0;
+}
+
+int bnxt_mpc_timeout(struct bnxt *bp, struct bnxt_tx_ring_info *txr)
+{
+ if (txr->tx_ring_struct.queue_id == BNXT_MPC_QUEUE_ID)
+ return bnxt_mpc_ring_reset(bp, txr->txq_index);
+ return -EINVAL;
+}
+
static bool bnxt_mpc_unsolicit(struct mpc_cmp *mpcmp)
{
u32 client = MPC_CMP_CLIENT_TYPE(mpcmp);
@@ -504,6 +653,7 @@ int bnxt_mpc_cmp(struct bnxt *bp, struct bnxt_cp_ring_info *cpr, u32 *raw_cons)
u16 cons = RING_CMP(*raw_cons);
struct mpc_cmp *mpcmp, *mpcmp1;
u32 tmp_raw_cons = *raw_cons;
+ unsigned long handle = 0;
u32 client, cmpl_num;
u8 type;
@@ -552,11 +702,14 @@ int bnxt_mpc_cmp(struct bnxt *bp, struct bnxt_cp_ring_info *cpr, u32 *raw_cons)
goto cmp_done;
}
mpc_buf = &txr->tx_mpc_buf_ring[RING_TX(bp, tx_cons)];
+ if (!READ_ONCE(txr->dev_state))
+ handle = mpc_buf->handle;
mpc_buf->handle = 0;
tx_cons += mpc_buf->inline_bds;
WRITE_ONCE(txr->tx_cons, tx_cons);
txr->tx_hw_cons = RING_TX(bp, tx_cons);
}
+ bnxt_crypto_mpc_cmp(bp, client, handle, cmpl_entry_arr, cmpl_num);
cmp_done:
*raw_cons = tmp_raw_cons;
diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_mpc.h b/drivers/net/ethernet/broadcom/bnxt/bnxt_mpc.h
index aa7f2666f0ca..b9a9fc771665 100644
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_mpc.h
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_mpc.h
@@ -22,6 +22,8 @@ enum bnxt_mpc_type {
#define BNXT_DFLT_MPC_TCE BNXT_MAX_MPC
#define BNXT_DFLT_MPC_RCE BNXT_MAX_MPC
+#define BNXT_MPC_TMO_MSECS 1000
+
struct bnxt_mpc_info {
u8 mpc_chnls_cap;
u8 mpc_cp_rings;
@@ -106,6 +108,7 @@ void bnxt_hwrm_mpc_ring_free(struct bnxt *bp, bool close_path);
struct bnxt_tx_ring_info *bnxt_select_mpc_ring(struct bnxt *bp, int ring_type);
int bnxt_start_xmit_mpc(struct bnxt *bp, struct bnxt_tx_ring_info *txr,
void *data, unsigned int len, unsigned long handle);
+int bnxt_mpc_timeout(struct bnxt *bp, struct bnxt_tx_ring_info *txr);
int bnxt_mpc_cmp(struct bnxt *bp, struct bnxt_cp_ring_info *cpr, u32 *raw_cons);
#else
static inline void bnxt_alloc_mpc_info(struct bnxt *bp, u8 mpc_chnls_cap)
@@ -192,6 +195,12 @@ static inline int bnxt_start_xmit_mpc(struct bnxt *bp,
return -EOPNOTSUPP;
}
+static inline int bnxt_mpc_timeout(struct bnxt *bp,
+ struct bnxt_tx_ring_info *txr)
+{
+ return -EOPNOTSUPP;
+}
+
static inline int bnxt_mpc_cmp(struct bnxt *bp, struct bnxt_cp_ring_info *cpr,
u32 *raw_cons)
{
--
2.51.0
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [PATCH net-next v3 12/15] bnxt_en: Support kTLS TX offload by implementing .tls_dev_add/del()
2026-06-14 7:23 [PATCH net-next v3 00/15] bnxt_en: Add kTLS TX offload support Michael Chan
` (10 preceding siblings ...)
2026-06-14 7:24 ` [PATCH net-next v3 11/15] bnxt_en: Add crypto MPC transmit/completion infrastructure Michael Chan
@ 2026-06-14 7:24 ` Michael Chan
2026-06-14 7:24 ` [PATCH net-next v3 13/15] bnxt_en: Implement kTLS TX normal path Michael Chan
` (2 subsequent siblings)
14 siblings, 0 replies; 16+ messages in thread
From: Michael Chan @ 2026-06-14 7:24 UTC (permalink / raw)
To: davem
Cc: netdev, edumazet, kuba, pabeni, andrew+netdev, pavan.chebbi,
andrew.gospodarek
Add basic infrastructure to allocate and free kTLS context IDs (KIDs)
to support kTLS TX offload. To offload a connection in .tls_dev_add(),
the first step is to allocate a KID. After that the kTLS offload
command is sent to the HW via MPC using the function
bnxt_xmit_crypto_cmd() introduced in the last patch.
In .tls_dev_del(), we send the delete command to the HW using the
same bnxt_xmit_crypto_cmd(). After that we free the KID, making it
available for new offload. There is extra logic to handle ifdown,
FW reset, and device reconfiguration while deleting the connection.
bnxt_ktls_init() assigns bnxt_ktls_ops to the netdev and sets up
the TLS TX offload feature. bnxt_ktls_init() will be called in
the next patch.
Reviewed-by: Andy Gospodarek <andrew.gospodarek@broadcom.com>
Reviewed-by: Pavan Chebbi <pavan.chebbi@broadcom.com>
Signed-off-by: Michael Chan <michael.chan@broadcom.com>
---
v3:
Use wait_event() in bnxt_ktls_dev_del() in case the device is in transient
reconfig state instead of poll wait.
Call bnxt_crypto_del_all() after BNXT_STATE_OPEN is cleared as documented.
Use memzero_explicit() to clear sensitive TLS parameters.
v2:
https://lore.kernel.org/netdev/20260512212105.3488258-13-michael.chan@broadcom.com/
Fix unused variable warning
Fix error recovery issues
v1:
https://lore.kernel.org/netdev/20260504235836.3019499-13-michael.chan@broadcom.com/
---
drivers/net/ethernet/broadcom/bnxt/Makefile | 2 +-
drivers/net/ethernet/broadcom/bnxt/bnxt.c | 16 +-
drivers/net/ethernet/broadcom/bnxt/bnxt.h | 1 +
.../net/ethernet/broadcom/bnxt/bnxt_crypto.c | 81 ++++-
.../net/ethernet/broadcom/bnxt/bnxt_crypto.h | 11 +
.../net/ethernet/broadcom/bnxt/bnxt_ktls.c | 339 ++++++++++++++++++
.../net/ethernet/broadcom/bnxt/bnxt_ktls.h | 112 ++++++
7 files changed, 559 insertions(+), 3 deletions(-)
create mode 100644 drivers/net/ethernet/broadcom/bnxt/bnxt_ktls.c
create mode 100644 drivers/net/ethernet/broadcom/bnxt/bnxt_ktls.h
diff --git a/drivers/net/ethernet/broadcom/bnxt/Makefile b/drivers/net/ethernet/broadcom/bnxt/Makefile
index 3acdb81fa958..88e68248aad4 100644
--- a/drivers/net/ethernet/broadcom/bnxt/Makefile
+++ b/drivers/net/ethernet/broadcom/bnxt/Makefile
@@ -5,4 +5,4 @@ bnxt_en-y := bnxt.o bnxt_hwrm.o bnxt_sriov.o bnxt_ethtool.o bnxt_dcb.o bnxt_ulp.
bnxt_en-$(CONFIG_BNXT_FLOWER_OFFLOAD) += bnxt_tc.o
bnxt_en-$(CONFIG_DEBUG_FS) += bnxt_debugfs.o
bnxt_en-$(CONFIG_BNXT_HWMON) += bnxt_hwmon.o
-bnxt_en-$(CONFIG_BNXT_TLS) += bnxt_mpc.o bnxt_crypto.o
+bnxt_en-$(CONFIG_BNXT_TLS) += bnxt_mpc.o bnxt_crypto.o bnxt_ktls.o
diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
index 6779fd993184..8478589b8b99 100644
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
@@ -78,6 +78,7 @@
#include <net/tso.h>
#include "bnxt_mpc.h"
#include "bnxt_crypto.h"
+#include "bnxt_ktls.h"
#define BNXT_TX_TIMEOUT (5 * HZ)
#define BNXT_DEF_MSG_ENABLE (NETIF_MSG_DRV | NETIF_MSG_HW | \
@@ -13281,6 +13282,7 @@ static int __bnxt_open_nic(struct bnxt *bp, bool irq_re_init, bool link_re_init)
static_branch_disable(&bnxt_xdp_locking_key);
}
set_bit(BNXT_STATE_OPEN, &bp->state);
+ bnxt_ktls_wake(bp);
bnxt_enable_int(bp);
/* Enable TX queues */
bnxt_tx_enable(bp);
@@ -13422,7 +13424,8 @@ static int bnxt_open(struct net_device *dev)
static bool bnxt_drv_busy(struct bnxt *bp)
{
return (test_bit(BNXT_STATE_IN_SP_TASK, &bp->state) ||
- test_bit(BNXT_STATE_READ_STATS, &bp->state));
+ test_bit(BNXT_STATE_READ_STATS, &bp->state) ||
+ bnxt_ktls_busy(bp));
}
static void bnxt_get_ring_stats(struct bnxt *bp,
@@ -13440,9 +13443,20 @@ static void __bnxt_close_nic(struct bnxt *bp, bool irq_re_init,
clear_bit(BNXT_STATE_OPEN, &bp->state);
smp_mb__after_atomic();
+ /* Wake any kTLS delete waiting on a reconfig so it re-evaluates and
+ * either keeps waiting for the reopen or aborts (ifdown / FW reset).
+ */
+ bnxt_ktls_wake(bp);
while (bnxt_drv_busy(bp))
msleep(20);
+ /* Delete all crypto connections and KIDs only on ifdown and FW reset,
+ * not ethtool config changes.
+ */
+ if (!netif_running(bp->dev) ||
+ test_bit(BNXT_STATE_IN_FW_RESET, &bp->state))
+ bnxt_crypto_del_all(bp);
+
if (BNXT_SUPPORTS_MULTI_RSS_CTX(bp))
bnxt_clear_rss_ctxs(bp);
/* Flush rings and disable interrupts */
diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.h b/drivers/net/ethernet/broadcom/bnxt/bnxt.h
index e91c9f27cd99..0ca0345a0e11 100644
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.h
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.h
@@ -2474,6 +2474,7 @@ struct bnxt {
struct bnxt_mpc_info *mpc_info;
struct bnxt_crypto_info *crypto_info;
+ struct bnxt_tls_info *ktls_info;
unsigned int current_interval;
#define BNXT_TIMER_INTERVAL HZ
diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_crypto.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_crypto.c
index 49f192c1ddbb..b82fd40d5de1 100644
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_crypto.c
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_crypto.c
@@ -11,6 +11,7 @@
#include "bnxt.h"
#include "bnxt_hwrm.h"
#include "bnxt_mpc.h"
+#include "bnxt_ktls.h"
#include "bnxt_crypto.h"
static u32 bnxt_get_max_crypto_key_ctx(struct bnxt *bp, int key_type)
@@ -80,13 +81,90 @@ void bnxt_alloc_crypto_info(struct bnxt *bp,
kctx->max_ctx = bnxt_get_max_crypto_key_ctx(bp, i);
}
crypto->max_key_ctxs_alloc = max_keys;
- bp->fw_cap |= BNXT_FW_CAP_KTLS;
+ if (!bp->ktls_info)
+ bnxt_alloc_ktls_info(bp);
+ if (bp->ktls_info)
+ bp->fw_cap |= BNXT_FW_CAP_KTLS;
return;
alloc_err:
kfree(crypto);
}
+int bnxt_crypto_del(struct bnxt *bp, u8 type, u8 kind, u32 kid)
+{
+ struct bnxt_tx_ring_info *txr;
+ struct ce_delete_cmd cmd = {};
+ u32 data;
+
+ if (test_bit(BNXT_STATE_IN_FW_RESET, &bp->state) &&
+ test_bit(BNXT_STATE_FW_FATAL_COND, &bp->state))
+ return 0;
+
+ txr = bnxt_select_mpc_ring(bp, type);
+ if (!txr)
+ return -ENODEV;
+ if (kind == BNXT_CTX_KIND_CK_TX)
+ data = CE_DELETE_CMD_CTX_KIND_CK_TX;
+ else if (kind == BNXT_CTX_KIND_CK_RX)
+ data = CE_DELETE_CMD_CTX_KIND_CK_RX;
+ else
+ return -EINVAL;
+
+ data |= CE_DELETE_CMD_OPCODE_DEL |
+ (BNXT_KID_HW(kid) << CE_DELETE_CMD_KID_SFT);
+
+ cmd.ctx_kind_kid_opcode = cpu_to_le32(data);
+ return bnxt_xmit_crypto_cmd(bp, txr, &cmd, sizeof(cmd),
+ BNXT_MPC_TMO_MSECS);
+}
+
+static void bnxt_crypto_del_all_kids(struct bnxt *bp, struct bnxt_kid_info *kid)
+{
+ int i, rc;
+
+ for (i = 0; i < kid->count; i++) {
+ if (!test_bit(i, kid->ids)) {
+ rc = bnxt_crypto_del(bp, kid->type, kid->kind,
+ kid->start_id + i);
+ if (!rc)
+ set_bit(i, kid->ids);
+ }
+ }
+}
+
+/**
+ * bnxt_crypto_del_all - Delete all crypto connections
+ * @bp: pointer to bnxt device
+ *
+ * Delete all crypto connections and free all KIDs for re-use during
+ * shutdown. Increment the epoch counter to invalidate any outstanding
+ * key references.
+ *
+ * This function assumes serialization (called during shutdown) and does
+ * not use locking.
+ *
+ * Context: Process context during shutdown/reset
+ */
+void bnxt_crypto_del_all(struct bnxt *bp)
+{
+ struct bnxt_crypto_info *crypto = bp->crypto_info;
+ struct bnxt_kid_info *kid;
+ struct bnxt_kctx *kctx;
+ int i;
+
+ if (!crypto)
+ return;
+
+ /* Shutting down, no need to protect the lists. */
+ for (i = 0; i < BNXT_MAX_CRYPTO_KEY_TYPE; i++) {
+ kctx = &crypto->kctx[i];
+ list_for_each_entry(kid, &kctx->list, list)
+ bnxt_crypto_del_all_kids(bp, kid);
+ kctx->epoch++;
+ }
+}
+
/**
* bnxt_clear_crypto - Clear all crypto key contexts
* @bp: pointer to bnxt device
@@ -137,6 +215,7 @@ void bnxt_free_crypto_info(struct bnxt *bp)
{
struct bnxt_crypto_info *crypto = bp->crypto_info;
+ bnxt_free_ktls_info(bp);
if (!crypto)
return;
bnxt_clear_crypto(bp);
diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_crypto.h b/drivers/net/ethernet/broadcom/bnxt/bnxt_crypto.h
index e873994fb098..72e18860cec1 100644
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_crypto.h
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_crypto.h
@@ -144,6 +144,8 @@ struct bnxt_crypto_cmd_ctx {
#ifdef CONFIG_BNXT_TLS
void bnxt_alloc_crypto_info(struct bnxt *bp,
struct hwrm_func_qcaps_output *resp);
+int bnxt_crypto_del(struct bnxt *bp, u8 type, u8 kind, u32 kid);
+void bnxt_crypto_del_all(struct bnxt *bp);
void bnxt_clear_crypto(struct bnxt *bp);
void bnxt_free_crypto_info(struct bnxt *bp);
void bnxt_hwrm_reserve_pf_key_ctxs(struct bnxt *bp,
@@ -163,6 +165,15 @@ static inline void bnxt_alloc_crypto_info(struct bnxt *bp,
{
}
+static inline int bnxt_crypto_del(struct bnxt *bp, u8 type, u8 kind, u32 kid)
+{
+ return -EOPNOTSUPP;
+}
+
+static inline void bnxt_crypto_del_all(struct bnxt *bp)
+{
+}
+
static inline void bnxt_clear_crypto(struct bnxt *bp)
{
}
diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_ktls.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_ktls.c
new file mode 100644
index 000000000000..9f6bdfb2e9e0
--- /dev/null
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_ktls.c
@@ -0,0 +1,339 @@
+// SPDX-License-Identifier: GPL-2.0-only
+/* Copyright (c) 2026 Broadcom Inc. */
+
+#include <net/tls.h>
+#include <linux/bnxt/hsi.h>
+
+#include "bnxt.h"
+#include "bnxt_mpc.h"
+#include "bnxt_crypto.h"
+#include "bnxt_ktls.h"
+
+/**
+ * bnxt_alloc_ktls_info - Allocate and initialize kTLS offload context
+ * @bp: pointer to bnxt device
+ *
+ * Allocates the main kTLS crypto info structure
+ *
+ * This function is called during device initialization when firmware
+ * reports kTLS offload capability. If allocation fails, kTLS offload
+ * will not be available but the device will still function.
+ *
+ * Context: Process context
+ *
+ * Return: zero on success, negative error code otherwise:
+ * ENOMEM: out of memory
+ */
+int bnxt_alloc_ktls_info(struct bnxt *bp)
+{
+ struct bnxt_tls_info *ktls = bp->ktls_info;
+
+ if (BNXT_VF(bp))
+ return -EOPNOTSUPP;
+ if (ktls)
+ return 0;
+
+ ktls = kzalloc_obj(*ktls);
+ if (!ktls) {
+ netdev_warn(bp->dev, "Unable to allocate kTLS info\n");
+ return -ENOMEM;
+ }
+ ktls->counters = kzalloc_objs(*ktls->counters,
+ BNXT_KTLS_MAX_CTRL_COUNTERS);
+ if (!ktls->counters)
+ goto ktls_err;
+
+ init_waitqueue_head(&ktls->open_wq);
+ bp->ktls_info = ktls;
+ return 0;
+
+ktls_err:
+ kfree(ktls->counters);
+ kfree(ktls);
+ return -ENOMEM;
+}
+
+/**
+ * bnxt_free_ktls_info - Free kTLS crypto offload resources
+ * @bp: pointer to bnxt device
+ *
+ * Frees all resources associated with kTLS crypto offload
+ *
+ * Context: Process context during device shutdown/removal
+ */
+void bnxt_free_ktls_info(struct bnxt *bp)
+{
+ struct bnxt_tls_info *ktls = bp->ktls_info;
+
+ if (!ktls)
+ return;
+ kfree(ktls->counters);
+ kfree(ktls);
+ bp->ktls_info = NULL;
+}
+
+/* Copy in reverse byte order */
+static void bnxt_copy_tls_mp_data(u8 *dst, u8 *src, int bytes)
+{
+ int i;
+
+ for (i = 0; i < bytes; i++)
+ dst[bytes - i - 1] = src[i];
+}
+
+static int bnxt_crypto_add(struct bnxt *bp, enum tls_offload_ctx_dir direction,
+ struct tls_crypto_info *crypto_info, u32 tcp_seq_no,
+ u32 kid)
+{
+ struct bnxt_tx_ring_info *txr;
+ struct ce_add_cmd cmd = {0};
+ u32 data;
+ int rc;
+
+ if (direction == TLS_OFFLOAD_CTX_DIR_TX) {
+ txr = bnxt_select_mpc_ring(bp, BNXT_MPC_TCE_TYPE);
+ cmd.ctx_kind = CE_ADD_CMD_CTX_KIND_CK_TX;
+ } else {
+ return -EOPNOTSUPP;
+ }
+ if (!txr)
+ return -ENODEV;
+
+ data = CE_ADD_CMD_OPCODE_ADD | (BNXT_KID_HW(kid) << CE_ADD_CMD_KID_SFT);
+ switch (crypto_info->cipher_type) {
+ case TLS_CIPHER_AES_GCM_128: {
+ struct tls12_crypto_info_aes_gcm_128 *aes;
+
+ aes = (void *)crypto_info;
+ data |= CE_ADD_CMD_ALGORITHM_AES_GCM_128;
+ if (crypto_info->version == TLS_1_3_VERSION)
+ data |= CE_ADD_CMD_VERSION_TLS1_3;
+ memcpy(&cmd.session_key, aes->key, sizeof(aes->key));
+ memcpy(&cmd.salt, aes->salt, sizeof(aes->salt));
+ memcpy(&cmd.addl_iv, aes->iv, sizeof(aes->iv));
+ bnxt_copy_tls_mp_data(cmd.record_seq_num, aes->rec_seq,
+ sizeof(aes->rec_seq));
+ break;
+ }
+ case TLS_CIPHER_AES_GCM_256: {
+ struct tls12_crypto_info_aes_gcm_256 *aes;
+
+ aes = (void *)crypto_info;
+ data |= CE_ADD_CMD_ALGORITHM_AES_GCM_256;
+ if (crypto_info->version == TLS_1_3_VERSION)
+ data |= CE_ADD_CMD_VERSION_TLS1_3;
+ memcpy(&cmd.session_key, aes->key, sizeof(aes->key));
+ memcpy(&cmd.salt, aes->salt, sizeof(aes->salt));
+ memcpy(&cmd.addl_iv, aes->iv, sizeof(aes->iv));
+ bnxt_copy_tls_mp_data(cmd.record_seq_num, aes->rec_seq,
+ sizeof(aes->rec_seq));
+ break;
+ }
+ default:
+ return -EOPNOTSUPP;
+ }
+ cmd.ver_algo_kid_opcode = cpu_to_le32(data);
+ cmd.pkt_tcp_seq_num = cpu_to_le32(tcp_seq_no);
+ cmd.tls_header_tcp_seq_num = cmd.pkt_tcp_seq_num;
+ rc = bnxt_xmit_crypto_cmd(bp, txr, &cmd, sizeof(cmd),
+ BNXT_MPC_TMO_MSECS);
+ memzero_explicit(&cmd, sizeof(cmd));
+ return rc;
+}
+
+static bool bnxt_ktls_cipher_supported(struct bnxt *bp,
+ struct tls_crypto_info *crypto_info)
+{
+ u16 type = crypto_info->cipher_type;
+ u16 version = crypto_info->version;
+
+ if ((type == TLS_CIPHER_AES_GCM_128 ||
+ type == TLS_CIPHER_AES_GCM_256) &&
+ (version == TLS_1_2_VERSION ||
+ version == TLS_1_3_VERSION))
+ return true;
+ return false;
+}
+
+static void bnxt_set_ktls_ctx_tx(struct tls_context *tls_ctx,
+ struct bnxt_ktls_offload_ctx_tx *kctx_tx)
+{
+ struct bnxt_ktls_tx_driver_state *tx =
+ __tls_driver_ctx(tls_ctx, TLS_OFFLOAD_CTX_DIR_TX);
+
+ tx->ctx_tx = kctx_tx;
+}
+
+static struct bnxt_ktls_offload_ctx_tx *
+bnxt_get_ktls_ctx_tx(struct tls_context *tls_ctx)
+{
+ struct bnxt_ktls_tx_driver_state *tx =
+ __tls_driver_ctx(tls_ctx, TLS_OFFLOAD_CTX_DIR_TX);
+
+ return tx->ctx_tx;
+}
+
+static int bnxt_ktls_dev_add(struct net_device *dev, struct sock *sk,
+ enum tls_offload_ctx_dir direction,
+ struct tls_crypto_info *crypto_info,
+ u32 start_offload_tcp_sn)
+{
+ struct bnxt_ktls_offload_ctx_tx *kctx_tx;
+ struct bnxt *bp = netdev_priv(dev);
+ struct bnxt_crypto_info *crypto;
+ struct tls_context *tls_ctx;
+ struct bnxt_tls_info *ktls;
+ struct bnxt_kctx *kctx;
+ u32 kid;
+ int rc;
+
+ BUILD_BUG_ON(sizeof(struct bnxt_ktls_tx_driver_state) >
+ TLS_DRIVER_STATE_SIZE_TX);
+
+ ktls = bp->ktls_info;
+ if (direction == TLS_OFFLOAD_CTX_DIR_RX)
+ return -EOPNOTSUPP;
+
+ if (!BNXT_SUPPORTS_KTLS(bp)) {
+ atomic64_inc(&ktls->counters[BNXT_KTLS_ERR_NO_CAP]);
+ return -EOPNOTSUPP;
+ }
+ atomic_inc(&ktls->pending);
+ /* Make sure bnxt_close_nic() sees pending before we check the
+ * BNXT_STATE_OPEN flag.
+ */
+ smp_mb__after_atomic();
+ if (!test_bit(BNXT_STATE_OPEN, &bp->state)) {
+ atomic64_inc(&ktls->counters[BNXT_KTLS_ERR_STATE_NOT_OPEN]);
+ rc = -ENODEV;
+ goto exit;
+ }
+
+ if (!bnxt_ktls_cipher_supported(bp, crypto_info)) {
+ atomic64_inc(&ktls->counters[BNXT_KTLS_ERR_INVALID_CIPHER]);
+ rc = -EOPNOTSUPP;
+ goto exit;
+ }
+
+ kctx_tx = kzalloc_obj(*kctx_tx);
+ if (!kctx_tx) {
+ atomic64_inc(&ktls->counters[BNXT_KTLS_ERR_NO_MEM]);
+ rc = -ENOMEM;
+ goto exit;
+ }
+ tls_ctx = tls_get_ctx(sk);
+ crypto = bp->crypto_info;
+ kctx = &crypto->kctx[BNXT_TX_CRYPTO_KEY_TYPE];
+ rc = bnxt_key_ctx_alloc_one(bp, kctx, BNXT_CTX_KIND_CK_TX, &kid);
+ if (rc) {
+ atomic64_inc(&ktls->counters[BNXT_KTLS_ERR_KEY_CTX_ALLOC]);
+ goto free_ctx;
+ }
+ rc = bnxt_crypto_add(bp, direction, crypto_info, start_offload_tcp_sn,
+ kid);
+ if (rc) {
+ atomic64_inc(&ktls->counters[BNXT_KTLS_ERR_CRYPTO_CMD]);
+ goto free_kctx;
+ }
+ kctx_tx->kid = kid;
+ kctx_tx->tcp_seq_no = start_offload_tcp_sn;
+ bnxt_set_ktls_ctx_tx(tls_ctx, kctx_tx);
+ atomic64_inc(&ktls->counters[BNXT_KTLS_TX_ADD]);
+ goto exit;
+
+free_kctx:
+ bnxt_free_one_kctx(kctx, kid);
+free_ctx:
+ kfree(kctx_tx);
+exit:
+ atomic_dec(&ktls->pending);
+ return rc;
+}
+
+#define KTLS_RETRY_MAX 100
+#define KTLS_WAIT_TMO_MS 100
+
+static void bnxt_ktls_dev_del(struct net_device *dev,
+ struct tls_context *tls_ctx,
+ enum tls_offload_ctx_dir direction)
+{
+ struct bnxt_ktls_offload_ctx_tx *kctx_tx;
+ struct bnxt *bp = netdev_priv(dev);
+ struct bnxt_crypto_info *crypto;
+ struct bnxt_tls_info *ktls;
+ struct bnxt_kctx *kctx;
+ int retry_cnt = 0;
+ u8 kind;
+ u32 kid;
+
+ ktls = bp->ktls_info;
+retry:
+ if (!test_bit(BNXT_STATE_OPEN, &bp->state)) {
+ /* During ifdown or FW reset, all connections will be torn
+ * down by bnxt_crypto_del_all() / FUNC_RESET, so nothing to
+ * do here. Only a reconfiguration is transient and
+ * __bnxt_open_nic() will set BNXT_STATE_OPEN again and wake us.
+ */
+ if (!netif_running(dev) ||
+ test_bit(BNXT_STATE_IN_FW_RESET, &bp->state))
+ goto free;
+ /* Bound the wait so a wedged reconfig can't block the kTLS
+ * destruct work indefinitely.
+ */
+ if (retry_cnt++ > KTLS_RETRY_MAX) {
+ atomic64_inc(&ktls->counters[BNXT_KTLS_ERR_RETRY_EXCEEDED]);
+ netdev_warn(dev, "%s timed out waiting for device, state %lx\n",
+ __func__, bp->state);
+ goto free;
+ }
+ wait_event_timeout(ktls->open_wq,
+ test_bit(BNXT_STATE_OPEN, &bp->state) ||
+ !netif_running(dev) ||
+ test_bit(BNXT_STATE_IN_FW_RESET, &bp->state),
+ msecs_to_jiffies(KTLS_WAIT_TMO_MS));
+ goto retry;
+ }
+ atomic_inc(&ktls->pending);
+ /* Make sure bnxt_close_nic() sees pending before we check the
+ * BNXT_STATE_OPEN flag.
+ */
+ smp_mb__after_atomic();
+ if (!test_bit(BNXT_STATE_OPEN, &bp->state)) {
+ atomic_dec(&ktls->pending);
+ goto retry;
+ }
+
+ crypto = bp->crypto_info;
+ kctx_tx = bnxt_get_ktls_ctx_tx(tls_ctx);
+ kid = kctx_tx->kid;
+ kctx = &crypto->kctx[BNXT_TX_CRYPTO_KEY_TYPE];
+ kind = BNXT_CTX_KIND_CK_TX;
+ atomic64_inc(&ktls->counters[BNXT_KTLS_TX_DEL]);
+ if (bnxt_kid_valid(kctx, kid) &&
+ !bnxt_crypto_del(bp, kctx->type, kind, kid))
+ bnxt_free_one_kctx(kctx, kid);
+
+ atomic_dec(&ktls->pending);
+free:
+ bnxt_set_ktls_ctx_tx(tls_ctx, NULL);
+ kfree(kctx_tx);
+}
+
+static const struct tlsdev_ops bnxt_ktls_ops = {
+ .tls_dev_add = bnxt_ktls_dev_add,
+ .tls_dev_del = bnxt_ktls_dev_del,
+};
+
+int bnxt_ktls_init(struct bnxt *bp)
+{
+ struct bnxt_tls_info *ktls = bp->ktls_info;
+ struct net_device *dev = bp->dev;
+
+ if (!ktls)
+ return 0;
+
+ dev->tlsdev_ops = &bnxt_ktls_ops;
+ dev->hw_features |= NETIF_F_HW_TLS_TX;
+ dev->features |= NETIF_F_HW_TLS_TX;
+ return 0;
+}
diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_ktls.h b/drivers/net/ethernet/broadcom/bnxt/bnxt_ktls.h
new file mode 100644
index 000000000000..5a4f39f15e80
--- /dev/null
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_ktls.h
@@ -0,0 +1,112 @@
+/* SPDX-License-Identifier: GPL-2.0-only */
+/* Copyright (c) 2026 Broadcom Inc. */
+
+#ifndef BNXT_KTLS_H
+#define BNXT_KTLS_H
+
+#include <linux/wait.h>
+
+/* Control plane counters */
+enum bnxt_ktls_ctrl_counters {
+ BNXT_KTLS_TX_ADD = 0,
+ BNXT_KTLS_TX_DEL,
+
+ /* Error counters for debugging */
+ BNXT_KTLS_ERR_NO_MEM, /* Memory allocation failure */
+ BNXT_KTLS_ERR_NO_CAP, /* Capability lost after FW reset */
+ BNXT_KTLS_ERR_KEY_CTX_ALLOC, /* Key context alloc failure */
+ BNXT_KTLS_ERR_CRYPTO_CMD, /* Crypto command failure */
+ BNXT_KTLS_ERR_DEVICE_BUSY, /* Device not ready */
+ BNXT_KTLS_ERR_INVALID_CIPHER, /* Unsupported cipher */
+ BNXT_KTLS_ERR_STATE_NOT_OPEN, /* Device not open */
+ BNXT_KTLS_ERR_RETRY_EXCEEDED, /* Retry limit exceeded */
+
+ BNXT_KTLS_MAX_CTRL_COUNTERS,
+};
+
+struct bnxt_tls_info {
+ atomic_t pending;
+
+ /* Woken from __bnxt_open_nic()/__bnxt_close_nic() when
+ * BNXT_STATE_OPEN changes, so a kTLS delete can wait out a ring
+ * reconfiguration instead of polling the state bit.
+ */
+ wait_queue_head_t open_wq;
+
+ /* Atomic counters for control path */
+ atomic64_t *counters;
+};
+
+struct bnxt_ktls_offload_ctx_tx {
+ u32 tcp_seq_no; /* tcp seq no in sync with HW */
+ u32 next_tcp_seq_no;/* staged tcp seq no */
+ u32 kid;
+ u32 pending_bytes; /* staged payload bytes */
+};
+
+struct bnxt_ktls_tx_driver_state {
+ struct bnxt_ktls_offload_ctx_tx *ctx_tx;
+};
+
+struct ce_add_cmd {
+ __le32 ver_algo_kid_opcode;
+ #define CE_ADD_CMD_OPCODE_MASK 0xfUL
+ #define CE_ADD_CMD_OPCODE_SFT 0
+ #define CE_ADD_CMD_OPCODE_ADD 0x1UL
+ #define CE_ADD_CMD_KID_MASK 0xfffff0UL
+ #define CE_ADD_CMD_KID_SFT 4
+ #define CE_ADD_CMD_ALGORITHM_MASK 0xf000000UL
+ #define CE_ADD_CMD_ALGORITHM_SFT 24
+ #define CE_ADD_CMD_ALGORITHM_AES_GCM_128 0x1000000UL
+ #define CE_ADD_CMD_ALGORITHM_AES_GCM_256 0x2000000UL
+ #define CE_ADD_CMD_VERSION_MASK 0xf0000000UL
+ #define CE_ADD_CMD_VERSION_SFT 28
+ #define CE_ADD_CMD_VERSION_TLS1_2 (0x0UL << 28)
+ #define CE_ADD_CMD_VERSION_TLS1_3 (0x1UL << 28)
+ u8 ctx_kind;
+ #define CE_ADD_CMD_CTX_KIND_MASK 0x1fUL
+ #define CE_ADD_CMD_CTX_KIND_SFT 0
+ #define CE_ADD_CMD_CTX_KIND_CK_TX 0x11UL
+ #define CE_ADD_CMD_CTX_KIND_CK_RX 0x12UL
+ u8 unused0[3];
+ u8 salt[4];
+ u8 unused1[4];
+ __le32 pkt_tcp_seq_num;
+ __le32 tls_header_tcp_seq_num;
+ u8 record_seq_num[8];
+ u8 session_key[32];
+ u8 addl_iv[8];
+};
+
+static inline bool bnxt_ktls_busy(struct bnxt *bp)
+{
+ return bp->ktls_info && atomic_read(&bp->ktls_info->pending) > 0;
+}
+
+/* Wake any kTLS control op waiting for a BNXT_STATE_OPEN transition. */
+static inline void bnxt_ktls_wake(struct bnxt *bp)
+{
+ if (bp->ktls_info)
+ wake_up_all(&bp->ktls_info->open_wq);
+}
+
+#ifdef CONFIG_BNXT_TLS
+int bnxt_alloc_ktls_info(struct bnxt *bp);
+void bnxt_free_ktls_info(struct bnxt *bp);
+int bnxt_ktls_init(struct bnxt *bp);
+#else
+static inline int bnxt_alloc_ktls_info(struct bnxt *bp)
+{
+ return -EOPNOTSUPP;
+}
+
+static inline void bnxt_free_ktls_info(struct bnxt *bp)
+{
+}
+
+static inline int bnxt_ktls_init(struct bnxt *bp)
+{
+ return -EOPNOTSUPP;
+}
+#endif /* CONFIG_BNXT_TLS */
+#endif /* BNXT_KTLS_H */
--
2.51.0
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [PATCH net-next v3 13/15] bnxt_en: Implement kTLS TX normal path
2026-06-14 7:23 [PATCH net-next v3 00/15] bnxt_en: Add kTLS TX offload support Michael Chan
` (11 preceding siblings ...)
2026-06-14 7:24 ` [PATCH net-next v3 12/15] bnxt_en: Support kTLS TX offload by implementing .tls_dev_add/del() Michael Chan
@ 2026-06-14 7:24 ` Michael Chan
2026-06-14 7:24 ` [PATCH net-next v3 14/15] bnxt_en: Add support for inline transmit BDs Michael Chan
2026-06-14 7:24 ` [PATCH net-next v3 15/15] bnxt_en: Add kTLS retransmission support Michael Chan
14 siblings, 0 replies; 16+ messages in thread
From: Michael Chan @ 2026-06-14 7:24 UTC (permalink / raw)
To: davem
Cc: netdev, edumazet, kuba, pabeni, andrew+netdev, pavan.chebbi,
andrew.gospodarek, Ajit Khaparde
Offload TLS encryption of TX packets to the hardware if the TCP sequence
number is the expected one. Fall back to software encryption otherwise.
Implement all the TLS TX logic to check the TCP sequence number and set
up the BD in the new function bnxt_ktls_xmit(). The stored TCP sequence
number is only updated when BD is in the ring and guaranteed to be
transmitted.
Basic kTLS statistics reporting for ethtool -S is also added. Because
there can be multiple TX rings (if there are MQPRIO TCs) sharing the
same bnxt_cp_ring_info containing the bnxt_sw_stats, we need to store
the kTLS software TX stats in bnxt_tx_ring_info instead.
The next patches will add support for the exception path with
out-of-order TCP sequence number.
Reviewed-by: Ajit Khaparde <ajit.khaparde@broadcom.com>
Reviewed-by: Pavan Chebbi <pavan.chebbi@broadcom.com>
Signed-off-by: Michael Chan <michael.chan@broadcom.com>
---
v3:
Use per TX ring TLS stats structures.
Defer tcp sequence and stats update until the BD is on the ring.
Increment the drop counter if kTLS drops the packet.
v2:
https://lore.kernel.org/netdev/20260512212105.3488258-14-michael.chan@broadcom.com/
---
drivers/net/ethernet/broadcom/bnxt/bnxt.c | 23 ++++-
drivers/net/ethernet/broadcom/bnxt/bnxt.h | 41 +++++++-
.../net/ethernet/broadcom/bnxt/bnxt_crypto.c | 1 +
.../net/ethernet/broadcom/bnxt/bnxt_ethtool.c | 46 +++++++++
drivers/net/ethernet/broadcom/bnxt/bnxt_gso.c | 2 +-
.../net/ethernet/broadcom/bnxt/bnxt_ktls.c | 93 +++++++++++++++++++
.../net/ethernet/broadcom/bnxt/bnxt_ktls.h | 61 ++++++++++++
7 files changed, 259 insertions(+), 8 deletions(-)
diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
index 8478589b8b99..3560ee5525fd 100644
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
@@ -481,6 +481,7 @@ static netdev_tx_t bnxt_start_xmit(struct sk_buff *skb, struct net_device *dev)
dma_addr_t mapping;
unsigned int length, pad = 0;
u32 len, free_size, vlan_tag_flags, cfa_action, flags;
+ struct bnxt_ktls_offload_ctx_tx *kctx_tx = NULL;
struct bnxt_ptp_cfg *ptp = bp->ptp_cfg;
struct pci_dev *pdev = bp->pdev;
u16 prod, last_frag, txts_prod;
@@ -488,6 +489,7 @@ static netdev_tx_t bnxt_start_xmit(struct sk_buff *skb, struct net_device *dev)
struct bnxt_sw_tx_bd *tx_buf;
__le32 lflags = 0;
skb_frag_t *frag;
+ u32 kid = 0;
i = skb_get_queue_mapping(skb);
if (unlikely(i >= bp->tx_nr_rings)) {
@@ -527,6 +529,12 @@ static netdev_tx_t bnxt_start_xmit(struct sk_buff *skb, struct net_device *dev)
return NETDEV_TX_BUSY;
}
+ skb = bnxt_ktls_xmit(bp, txr, skb, &lflags, &kid, &kctx_tx);
+ if (unlikely(!skb)) {
+ dev_core_stats_tx_dropped_inc(dev);
+ return NETDEV_TX_OK;
+ }
+
length = skb->len;
len = skb_headlen(skb);
last_frag = skb_shinfo(skb)->nr_frags;
@@ -675,7 +683,7 @@ static netdev_tx_t bnxt_start_xmit(struct sk_buff *skb, struct net_device *dev)
prod = NEXT_TX(prod);
txbd1 = bnxt_init_ext_bd(bp, txr, prod, lflags, vlan_tag_flags,
- cfa_action);
+ cfa_action, kid);
if (skb_is_gso(skb)) {
bool udp_gso = !!(skb_shinfo(skb)->gso_type & SKB_GSO_UDP_L4);
@@ -696,9 +704,10 @@ static netdev_tx_t bnxt_start_xmit(struct sk_buff *skb, struct net_device *dev)
txbd1->tx_bd_hsize_lflags |= cpu_to_le32(TX_BD_FLAGS_LSO |
TX_BD_FLAGS_T_IPID |
- (hdr_len << (TX_BD_HSIZE_SHIFT - 1)));
+ ((hdr_len >> 1) << TX_BD_HSIZE_SHIFT));
length = skb_shinfo(skb)->gso_size;
- txbd1->tx_bd_mss = cpu_to_le32(length);
+ txbd1->tx_bd_kid_mss = cpu_to_le32(BNXT_TX_KID_HI(kid) |
+ (length & TX_BD_MSS));
length += hdr_len;
} else if (skb->ip_summed == CHECKSUM_PARTIAL) {
txbd1->tx_bd_hsize_lflags |=
@@ -751,6 +760,9 @@ static netdev_tx_t bnxt_start_xmit(struct sk_buff *skb, struct net_device *dev)
prod = NEXT_TX(prod);
WRITE_ONCE(txr->tx_prod, prod);
+ /* Commit the kTLS state now that the BD is in the ring. */
+ bnxt_ktls_xmit_commit(txr, kctx_tx);
+
if (!netdev_xmit_more() || netif_xmit_stopped(txq)) {
bnxt_txr_db_kick(bp, txr, prod);
} else {
@@ -4079,6 +4091,8 @@ static void bnxt_free_tx_rings(struct bnxt *bp)
bnxt_free_tx_inline_buf(txr, pdev);
+ bnxt_ktls_free_tx_ring_stats(txr);
+
ring = &txr->tx_ring_struct;
bnxt_free_ring(bp, &ring->ring_mem);
@@ -4154,6 +4168,9 @@ static int bnxt_alloc_tx_rings(struct bnxt *bp)
qidx = bp->tc_to_qidx[j];
ring->queue_id = bp->q_info[qidx].queue_id;
spin_lock_init(&txr->tx_lock);
+ rc = bnxt_ktls_alloc_tx_ring_stats(bp, txr);
+ if (rc)
+ return rc;
if (i < bp->tx_nr_rings_xdp)
continue;
if (BNXT_RING_TO_TC_OFF(bp, i) == (bp->tx_nr_rings_per_tc - 1))
diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.h b/drivers/net/ethernet/broadcom/bnxt/bnxt.h
index 0ca0345a0e11..4ca36b99c4a3 100644
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.h
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.h
@@ -101,10 +101,18 @@ struct tx_bd_ext {
#define TX_BD_FLAGS_LSO (1 << 5)
#define TX_BD_FLAGS_IPID_FMT (1 << 6)
#define TX_BD_FLAGS_T_IPID (1 << 7)
+ #define TX_BD_FLAGS_CRYPTO_EN (1 << 15)
#define TX_BD_HSIZE (0xff << 16)
#define TX_BD_HSIZE_SHIFT 16
-
- __le32 tx_bd_mss;
+ #define TX_BD_KID_LO (0x7f << 25)
+ #define TX_BD_KID_LO_MASK 0x7f
+ #define TX_BD_KID_LO_SHIFT 25
+
+ __le32 tx_bd_kid_mss;
+ #define TX_BD_MSS 0x7fff
+ #define TX_BD_KID_HI (0x1ffff << 15)
+ #define TX_BD_KID_HI_MASK 0xffff80
+ #define TX_BD_KID_HI_SHIFT 8
__le32 tx_bd_cfa_action;
#define TX_BD_CFA_ACTION (0xffff << 16)
#define TX_BD_CFA_ACTION_SHIFT 16
@@ -122,6 +130,16 @@ struct tx_bd_ext {
};
#define BNXT_TX_PTP_IS_SET(lflags) ((lflags) & cpu_to_le32(TX_BD_FLAGS_STAMP))
+#define BNXT_TX_KID_LO(kid) (((kid) & TX_BD_KID_LO_MASK) << TX_BD_KID_LO_SHIFT)
+#define BNXT_TX_KID_HI(kid) (((kid) & TX_BD_KID_HI_MASK) << TX_BD_KID_HI_SHIFT)
+
+struct tx_bd_presync {
+ __le32 tx_bd_len_flags_type;
+ #define TX_BD_TYPE_PRESYNC_TX_BD (0x09 << 0)
+ u32 tx_bd_opaque;
+ __le32 tx_bd_kid;
+ u32 tx_bd_unused;
+};
struct rx_bd {
__le32 rx_bd_len_flags_type;
@@ -1024,6 +1042,9 @@ struct bnxt_tx_ring_info {
struct bnxt_ring_struct tx_ring_struct;
/* Synchronize simultaneous xdp_xmit on same ring or for MPC ring */
spinlock_t tx_lock;
+
+ /* Per-TX-ring kTLS counters; allocated only when kTLS is enabled. */
+ struct bnxt_tls_sw_stats *tls_stats;
};
#define BNXT_LEGACY_COAL_CMPL_PARAMS \
@@ -1165,6 +1186,18 @@ struct bnxt_cmn_sw_stats {
u64 missed_irqs;
};
+/* Data plane kTLS counters */
+enum bnxt_ktls_data_counters {
+ BNXT_KTLS_TX_PKTS = 0,
+ BNXT_KTLS_TX_BYTES,
+
+ BNXT_KTLS_MAX_DATA_COUNTERS,
+};
+
+struct bnxt_tls_sw_stats {
+ u64 counters[BNXT_KTLS_MAX_DATA_COUNTERS];
+};
+
struct bnxt_sw_stats {
struct bnxt_rx_sw_stats rx;
struct bnxt_tx_sw_stats tx;
@@ -2879,14 +2912,14 @@ static inline u32 bnxt_tx_avail(struct bnxt *bp,
static inline struct tx_bd_ext *
bnxt_init_ext_bd(struct bnxt *bp, struct bnxt_tx_ring_info *txr,
u16 prod, __le32 lflags, u32 vlan_tag_flags,
- u32 cfa_action)
+ u32 cfa_action, u32 kid)
{
struct tx_bd_ext *txbd1;
txbd1 = (struct tx_bd_ext *)
&txr->tx_desc_ring[TX_RING(bp, prod)][TX_IDX(prod)];
txbd1->tx_bd_hsize_lflags = lflags;
- txbd1->tx_bd_mss = 0;
+ txbd1->tx_bd_kid_mss = cpu_to_le32(BNXT_TX_KID_HI(kid));
txbd1->tx_bd_cfa_meta = cpu_to_le32(vlan_tag_flags);
txbd1->tx_bd_cfa_action =
cpu_to_le32(cfa_action << TX_BD_CFA_ACTION_SHIFT);
diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_crypto.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_crypto.c
index b82fd40d5de1..881c50ca2dcb 100644
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_crypto.c
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_crypto.c
@@ -570,6 +570,7 @@ int bnxt_crypto_init(struct bnxt *bp)
if (rc)
return rc;
+ bnxt_ktls_init(bp);
return 0;
}
diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c
index c60c04c34fad..9b2bc38236d7 100644
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c
@@ -38,6 +38,7 @@
#include "bnxt_fw_hdr.h" /* Firmware hdr constant and structure defs */
#include "bnxt_coredump.h"
#include "bnxt_mpc.h"
+#include "bnxt_ktls.h"
#define BNXT_NVM_ERR_MSG(dev, extack, msg) \
do { \
@@ -354,6 +355,26 @@ static const char *const bnxt_ring_drv_stats_arr[] = {
"total_missed_irqs",
};
+/* kTLS data plane counter strings indexed by enum bnxt_ktls_data_counters */
+static const char *const bnxt_ktls_data_stats[] = {
+ [BNXT_KTLS_TX_PKTS] = "tx_tls_encrypted_packets",
+ [BNXT_KTLS_TX_BYTES] = "tx_tls_encrypted_bytes",
+};
+
+/* kTLS control plane counter strings indexed by enum bnxt_ktls_ctrl_counters */
+static const char *const bnxt_ktls_ctrl_stats[] = {
+ [BNXT_KTLS_TX_ADD] = "tx_tls_ctx",
+ [BNXT_KTLS_TX_DEL] = "tx_tls_del",
+ [BNXT_KTLS_ERR_NO_MEM] = "tls_err_no_mem",
+ [BNXT_KTLS_ERR_NO_CAP] = "tls_err_no_cap",
+ [BNXT_KTLS_ERR_KEY_CTX_ALLOC] = "tls_err_key_ctx_alloc",
+ [BNXT_KTLS_ERR_CRYPTO_CMD] = "tls_err_crypto_cmd",
+ [BNXT_KTLS_ERR_DEVICE_BUSY] = "tls_err_device_busy",
+ [BNXT_KTLS_ERR_INVALID_CIPHER] = "tls_err_invalid_cipher",
+ [BNXT_KTLS_ERR_STATE_NOT_OPEN] = "tls_err_state_not_open",
+ [BNXT_KTLS_ERR_RETRY_EXCEEDED] = "tls_err_retry_exceeded",
+};
+
#define NUM_RING_RX_SW_STATS ARRAY_SIZE(bnxt_rx_sw_stats_str)
#define NUM_RING_CMN_SW_STATS ARRAY_SIZE(bnxt_cmn_sw_stats_str)
#define NUM_RING_RX_HW_STATS ARRAY_SIZE(bnxt_ring_rx_stats_str)
@@ -536,12 +557,21 @@ static int bnxt_get_num_ring_stats(struct bnxt *bp)
cmn * bp->cp_nr_rings;
}
+static int bnxt_get_num_ktls_stats(struct bnxt *bp)
+{
+ if (!bp->ktls_info)
+ return 0;
+ return ARRAY_SIZE(bnxt_ktls_ctrl_stats) +
+ ARRAY_SIZE(bnxt_ktls_data_stats);
+}
+
static int bnxt_get_num_stats(struct bnxt *bp)
{
int num_stats = bnxt_get_num_ring_stats(bp);
int len;
num_stats += BNXT_NUM_RING_DRV_STATS;
+ num_stats += bnxt_get_num_ktls_stats(bp);
if (bp->flags & BNXT_FLAG_PORT_STATS)
num_stats += BNXT_NUM_PORT_STATS;
@@ -653,6 +683,16 @@ static void bnxt_get_ethtool_stats(struct net_device *dev,
for (i = 0; i < BNXT_NUM_RING_DRV_STATS; i++, j++, curr++, prev++)
buf[j] = *curr + *prev;
+ if (bp->ktls_info) {
+ struct bnxt_tls_info *ktls = bp->ktls_info;
+ struct bnxt_tls_sw_stats tls_stats = {};
+
+ bnxt_get_ring_tls_stats(bp, &tls_stats);
+ for (i = 0; i < ARRAY_SIZE(bnxt_ktls_data_stats); i++, j++)
+ buf[j] = tls_stats.counters[i];
+ for (i = 0; i < ARRAY_SIZE(bnxt_ktls_ctrl_stats); i++, j++)
+ buf[j] = atomic64_read(&ktls->counters[i]);
+ }
if (bp->flags & BNXT_FLAG_PORT_STATS) {
u64 *port_stats = bp->port_stats.sw_stats;
@@ -763,6 +803,12 @@ static void bnxt_get_strings(struct net_device *dev, u32 stringset, u8 *buf)
for (i = 0; i < BNXT_NUM_RING_DRV_STATS; i++)
ethtool_puts(&buf, bnxt_ring_drv_stats_arr[i]);
+ if (bp->ktls_info) {
+ for (i = 0; i < ARRAY_SIZE(bnxt_ktls_data_stats); i++)
+ ethtool_puts(&buf, bnxt_ktls_data_stats[i]);
+ for (i = 0; i < ARRAY_SIZE(bnxt_ktls_ctrl_stats); i++)
+ ethtool_puts(&buf, bnxt_ktls_ctrl_stats[i]);
+ }
if (bp->flags & BNXT_FLAG_PORT_STATS)
for (i = 0; i < BNXT_NUM_PORT_STATS; i++) {
str = bnxt_port_stats_arr[i].string;
diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_gso.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_gso.c
index f317f60414e8..b4c37a6c9f0f 100644
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_gso.c
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_gso.c
@@ -168,7 +168,7 @@ netdev_tx_t bnxt_sw_udp_gso_xmit(struct bnxt *bp,
prod = NEXT_TX(prod);
bnxt_init_ext_bd(bp, txr, prod, csum,
- vlan_tag_flags, cfa_action);
+ vlan_tag_flags, cfa_action, 0);
/* set dma_unmap_len on the LAST BD touching each
* region. Since completions are in-order, the last segment
diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_ktls.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_ktls.c
index 9f6bdfb2e9e0..298fb08e7b9b 100644
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_ktls.c
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_ktls.c
@@ -1,6 +1,7 @@
// SPDX-License-Identifier: GPL-2.0-only
/* Copyright (c) 2026 Broadcom Inc. */
+#include <linux/tcp.h>
#include <net/tls.h>
#include <linux/bnxt/hsi.h>
@@ -337,3 +338,95 @@ int bnxt_ktls_init(struct bnxt *bp)
dev->features |= NETIF_F_HW_TLS_TX;
return 0;
}
+
+static void bnxt_ktls_inc_tx_stats(struct bnxt_tx_ring_info *txr, u32 bytes)
+{
+ struct bnxt_tls_sw_stats *ring_stats = txr->tls_stats;
+
+ if (!ring_stats)
+ return;
+ ring_stats->counters[BNXT_KTLS_TX_PKTS]++;
+ ring_stats->counters[BNXT_KTLS_TX_BYTES] += bytes;
+}
+
+struct sk_buff *bnxt_ktls_xmit(struct bnxt *bp, struct bnxt_tx_ring_info *txr,
+ struct sk_buff *skb, __le32 *lflags, u32 *kid,
+ struct bnxt_ktls_offload_ctx_tx **kctx_tx_p)
+{
+ struct bnxt_tls_info *ktls = bp->ktls_info;
+ struct bnxt_ktls_offload_ctx_tx *kctx_tx;
+ struct tls_context *tls_ctx;
+ u32 seq, payload_len;
+
+ if (!IS_ENABLED(CONFIG_TLS_DEVICE) || !ktls ||
+ !tls_is_skb_tx_device_offloaded(skb))
+ return skb;
+
+ seq = ntohl(tcp_hdr(skb)->seq);
+ tls_ctx = tls_get_ctx(skb->sk);
+ kctx_tx = bnxt_get_ktls_ctx_tx(tls_ctx);
+ payload_len = skb->len - skb_tcp_all_headers(skb);
+ if (!payload_len)
+ return skb;
+ if (kctx_tx->tcp_seq_no == seq) {
+ /* Stage the advance only. tcp_seq_no and the counters are
+ * committed by bnxt_ktls_xmit_commit() once the BD reaches the
+ * ring.
+ */
+ kctx_tx->next_tcp_seq_no = seq + payload_len;
+ kctx_tx->pending_bytes = payload_len;
+ *kid = BNXT_KID_HW(kctx_tx->kid);
+ *kctx_tx_p = kctx_tx;
+ *lflags |= cpu_to_le32(TX_BD_FLAGS_CRYPTO_EN |
+ BNXT_TX_KID_LO(*kid));
+ } else {
+ skb = tls_encrypt_skb(skb);
+ if (!skb)
+ return NULL;
+ }
+ return skb;
+}
+
+void bnxt_ktls_xmit_commit(struct bnxt_tx_ring_info *txr,
+ struct bnxt_ktls_offload_ctx_tx *kctx_tx)
+{
+ if (!kctx_tx)
+ return;
+ kctx_tx->tcp_seq_no = kctx_tx->next_tcp_seq_no;
+ bnxt_ktls_inc_tx_stats(txr, kctx_tx->pending_bytes);
+}
+
+int bnxt_ktls_alloc_tx_ring_stats(struct bnxt *bp, struct bnxt_tx_ring_info *txr)
+{
+ struct bnxt_tls_sw_stats *ring_stats;
+
+ if (!bp->ktls_info)
+ return 0;
+ ring_stats = kzalloc_obj(*ring_stats);
+ if (!ring_stats)
+ return -ENOMEM;
+ txr->tls_stats = ring_stats;
+ return 0;
+}
+
+void bnxt_ktls_free_tx_ring_stats(struct bnxt_tx_ring_info *txr)
+{
+ kfree(txr->tls_stats);
+ txr->tls_stats = NULL;
+}
+
+void bnxt_get_ring_tls_stats(struct bnxt *bp, struct bnxt_tls_sw_stats *stats)
+{
+ struct bnxt_tls_sw_stats *ring_stats;
+ int i, j;
+
+ if (!bp->ktls_info || !bp->tx_ring)
+ return;
+ for (i = 0; i < bp->tx_nr_rings; i++) {
+ ring_stats = bp->tx_ring[i].tls_stats;
+ if (!ring_stats)
+ continue;
+ for (j = 0; j < BNXT_KTLS_MAX_DATA_COUNTERS; j++)
+ stats->counters[j] += ring_stats->counters[j];
+ }
+}
diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_ktls.h b/drivers/net/ethernet/broadcom/bnxt/bnxt_ktls.h
index 5a4f39f15e80..1c935e0d413d 100644
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_ktls.h
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_ktls.h
@@ -4,6 +4,7 @@
#ifndef BNXT_KTLS_H
#define BNXT_KTLS_H
+#include <linux/u64_stats_sync.h>
#include <linux/wait.h>
/* Control plane counters */
@@ -78,6 +79,28 @@ struct ce_add_cmd {
u8 addl_iv[8];
};
+struct crypto_prefix_cmd {
+ __le32 flags;
+ #define CRYPTO_PREFIX_CMD_FLAGS_UPDATE_IN_ORDER_VAR 0x1UL
+ #define CRYPTO_PREFIX_CMD_FLAGS_FULL_REPLAY_RETRAN 0x2UL
+ __le32 header_tcp_seq_num;
+ __le32 start_tcp_seq_num;
+ __le32 end_tcp_seq_num;
+ u8 explicit_nonce[8];
+ u8 record_seq_num[8];
+};
+
+#define CRYPTO_PREFIX_CMD_FLAGS_UPDATE_IN_ORDER_VAR_LE \
+ cpu_to_le32(CRYPTO_PREFIX_CMD_FLAGS_UPDATE_IN_ORDER_VAR)
+
+#define CRYPTO_PREFIX_CMD_SIZE ((u32)sizeof(struct crypto_prefix_cmd))
+#define CRYPTO_PREFIX_CMD_BDS (CRYPTO_PREFIX_CMD_SIZE / sizeof(struct tx_bd))
+#define CRYPTO_PRESYNC_BDS (CRYPTO_PREFIX_CMD_BDS + 1)
+
+#define CRYPTO_PRESYNC_BD_CMD \
+ (cpu_to_le32((CRYPTO_PREFIX_CMD_SIZE << TX_BD_LEN_SHIFT) | \
+ TX_BD_CNT(CRYPTO_PRESYNC_BDS) | TX_BD_TYPE_PRESYNC_TX_BD))
+
static inline bool bnxt_ktls_busy(struct bnxt *bp)
{
return bp->ktls_info && atomic_read(&bp->ktls_info->pending) > 0;
@@ -94,6 +117,15 @@ static inline void bnxt_ktls_wake(struct bnxt *bp)
int bnxt_alloc_ktls_info(struct bnxt *bp);
void bnxt_free_ktls_info(struct bnxt *bp);
int bnxt_ktls_init(struct bnxt *bp);
+struct sk_buff *bnxt_ktls_xmit(struct bnxt *bp, struct bnxt_tx_ring_info *txr,
+ struct sk_buff *skb, __le32 *lflags, u32 *kid,
+ struct bnxt_ktls_offload_ctx_tx **kctx_tx_p);
+void bnxt_ktls_xmit_commit(struct bnxt_tx_ring_info *txr,
+ struct bnxt_ktls_offload_ctx_tx *kctx_tx);
+int bnxt_ktls_alloc_tx_ring_stats(struct bnxt *bp,
+ struct bnxt_tx_ring_info *txr);
+void bnxt_ktls_free_tx_ring_stats(struct bnxt_tx_ring_info *txr);
+void bnxt_get_ring_tls_stats(struct bnxt *bp, struct bnxt_tls_sw_stats *stats);
#else
static inline int bnxt_alloc_ktls_info(struct bnxt *bp)
{
@@ -108,5 +140,34 @@ static inline int bnxt_ktls_init(struct bnxt *bp)
{
return -EOPNOTSUPP;
}
+
+static inline struct sk_buff *
+bnxt_ktls_xmit(struct bnxt *bp, struct bnxt_tx_ring_info *txr,
+ struct sk_buff *skb, __le32 *lflags, u32 *kid,
+ struct bnxt_ktls_offload_ctx_tx **kctx_tx_p)
+{
+ return skb;
+}
+
+static inline void
+bnxt_ktls_xmit_commit(struct bnxt_tx_ring_info *txr,
+ struct bnxt_ktls_offload_ctx_tx *kctx_tx)
+{
+}
+
+static inline int bnxt_ktls_alloc_tx_ring_stats(struct bnxt *bp,
+ struct bnxt_tx_ring_info *txr)
+{
+ return 0;
+}
+
+static inline void bnxt_ktls_free_tx_ring_stats(struct bnxt_tx_ring_info *txr)
+{
+}
+
+static inline void bnxt_get_ring_tls_stats(struct bnxt *bp,
+ struct bnxt_tls_sw_stats *stats)
+{
+}
#endif /* CONFIG_BNXT_TLS */
#endif /* BNXT_KTLS_H */
--
2.51.0
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [PATCH net-next v3 14/15] bnxt_en: Add support for inline transmit BDs
2026-06-14 7:23 [PATCH net-next v3 00/15] bnxt_en: Add kTLS TX offload support Michael Chan
` (12 preceding siblings ...)
2026-06-14 7:24 ` [PATCH net-next v3 13/15] bnxt_en: Implement kTLS TX normal path Michael Chan
@ 2026-06-14 7:24 ` Michael Chan
2026-06-14 7:24 ` [PATCH net-next v3 15/15] bnxt_en: Add kTLS retransmission support Michael Chan
14 siblings, 0 replies; 16+ messages in thread
From: Michael Chan @ 2026-06-14 7:24 UTC (permalink / raw)
To: davem
Cc: netdev, edumazet, kuba, pabeni, andrew+netdev, pavan.chebbi,
andrew.gospodarek
Newer chips (P5_PLUS) support inline transmit BDs that contain extra
data. One such use case is to transmit out-of-sequence kTLS packets
with encryption enabled. To account for these inline BDs during TX
completion, we add the inline_data_bds field to struct bnxt_sw_tx_bd
(tx_buf). tx_buf->is_push will always be set when sending these
inline BDs as the operation is similar to push packets. tx_buf->skb
will always be NULL as there is no associated SKB.
The next patch will make use of this feature.
Reviewed-by: Andy Gospodarek <andrew.gospodarek@broadcom.com>
Signed-off-by: Michael Chan <michael.chan@broadcom.com>
---
drivers/net/ethernet/broadcom/bnxt/bnxt.c | 15 ++++++++++++---
drivers/net/ethernet/broadcom/bnxt/bnxt.h | 1 +
2 files changed, 13 insertions(+), 3 deletions(-)
diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
index 3560ee5525fd..ce3175721be2 100644
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
@@ -848,7 +848,7 @@ static bool __bnxt_tx_int(struct bnxt *bp, struct bnxt_tx_ring_info *txr,
head_buf = tx_buf;
skb = tx_buf->skb;
- if (unlikely(!skb)) {
+ if (unlikely(!skb && !tx_buf->is_push)) {
bnxt_sched_reset_txr(bp, txr, cons);
return rc;
}
@@ -860,13 +860,22 @@ static bool __bnxt_tx_int(struct bnxt *bp, struct bnxt_tx_ring_info *txr,
}
cons = NEXT_TX(cons);
- tx_pkts++;
- tx_bytes += skb->len;
+ if (skb) {
+ tx_pkts++;
+ tx_bytes += skb->len;
+ }
tx_buf->skb = NULL;
tx_buf->is_ts_pkt = 0;
if (tx_buf->is_push) {
tx_buf->is_push = 0;
+ cons += tx_buf->inline_data_bds;
+ tx_buf->inline_data_bds = 0;
+ if (!skb) {
+ /* presync BD */
+ cons = NEXT_TX(cons);
+ continue;
+ }
goto next_tx_int;
}
diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.h b/drivers/net/ethernet/broadcom/bnxt/bnxt.h
index 4ca36b99c4a3..500bb9171274 100644
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.h
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.h
@@ -917,6 +917,7 @@ struct bnxt_sw_tx_bd {
u8 is_push;
u8 is_sw_gso;
u8 action;
+ u8 inline_data_bds;
unsigned short nr_frags;
union {
u16 rx_prod;
--
2.51.0
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [PATCH net-next v3 15/15] bnxt_en: Add kTLS retransmission support
2026-06-14 7:23 [PATCH net-next v3 00/15] bnxt_en: Add kTLS TX offload support Michael Chan
` (13 preceding siblings ...)
2026-06-14 7:24 ` [PATCH net-next v3 14/15] bnxt_en: Add support for inline transmit BDs Michael Chan
@ 2026-06-14 7:24 ` Michael Chan
14 siblings, 0 replies; 16+ messages in thread
From: Michael Chan @ 2026-06-14 7:24 UTC (permalink / raw)
To: davem
Cc: netdev, edumazet, kuba, pabeni, andrew+netdev, pavan.chebbi,
andrew.gospodarek
If TCP retransmits a TLS packet that requires encryption by the NIC, the
TCP sequence number will go backwards and the hardware will require some
assistance from the driver. The driver needs to retrieve the TLS record
that covers the byte sequence of the retransmitted packet. If the
retransmitted packet does not include the tag, the hardware can simply
encrypt the packet using the informtaion in the TLS record.
The driver provides the TLS record information for the retransmitted
packet in the presync TX BD. The presync TX BD introduced in the last
patch is treated very much like a TX push BD with inline data. The only
exception is that no SKB will be stored for the presync TX BD.
Retransmission that includes the TLS tag will be handled in future
patches.
Reviewed-by: Andy Gospodarek <andrew.gospodarek@broadcom.com>
Signed-off-by: Michael Chan <michael.chan@broadcom.com>
---
v3:
Unwind the TX ring properly if the TLS packet cannot be sent.
Improve the OOO TLS counters.
Fix endianness of the record sequence number.
Check valid return address from skb_frag_address_safe().
v2:
https://lore.kernel.org/netdev/20260512212105.3488258-16-michael.chan@broadcom.com/
---
drivers/net/ethernet/broadcom/bnxt/bnxt.c | 14 +-
drivers/net/ethernet/broadcom/bnxt/bnxt.h | 4 +
.../net/ethernet/broadcom/bnxt/bnxt_ethtool.c | 4 +
.../net/ethernet/broadcom/bnxt/bnxt_ktls.c | 152 +++++++++++++++++-
.../net/ethernet/broadcom/bnxt/bnxt_ktls.h | 2 +
5 files changed, 167 insertions(+), 9 deletions(-)
diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
index ce3175721be2..2e4d11977407 100644
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
@@ -482,9 +482,9 @@ static netdev_tx_t bnxt_start_xmit(struct sk_buff *skb, struct net_device *dev)
unsigned int length, pad = 0;
u32 len, free_size, vlan_tag_flags, cfa_action, flags;
struct bnxt_ktls_offload_ctx_tx *kctx_tx = NULL;
+ u16 prod, start_prod, last_frag, txts_prod;
struct bnxt_ptp_cfg *ptp = bp->ptp_cfg;
struct pci_dev *pdev = bp->pdev;
- u16 prod, last_frag, txts_prod;
struct bnxt_tx_ring_info *txr;
struct bnxt_sw_tx_bd *tx_buf;
__le32 lflags = 0;
@@ -500,7 +500,6 @@ static netdev_tx_t bnxt_start_xmit(struct sk_buff *skb, struct net_device *dev)
txq = netdev_get_tx_queue(dev, i);
txr = &bp->tx_ring[bp->tx_ring_map[i]];
- prod = txr->tx_prod;
#if (MAX_SKB_FRAGS > TX_MAX_FRAGS)
if (skb_shinfo(skb)->nr_frags > TX_MAX_FRAGS) {
@@ -529,12 +528,14 @@ static netdev_tx_t bnxt_start_xmit(struct sk_buff *skb, struct net_device *dev)
return NETDEV_TX_BUSY;
}
+ start_prod = txr->tx_prod;
skb = bnxt_ktls_xmit(bp, txr, skb, &lflags, &kid, &kctx_tx);
if (unlikely(!skb)) {
dev_core_stats_tx_dropped_inc(dev);
return NETDEV_TX_OK;
}
+ prod = txr->tx_prod;
length = skb->len;
len = skb_headlen(skb);
last_frag = skb_shinfo(skb)->nr_frags;
@@ -817,9 +818,16 @@ static netdev_tx_t bnxt_start_xmit(struct sk_buff *skb, struct net_device *dev)
/* set SKB to err so PTP worker will clean up */
ptp->txts_req[txts_prod].tx_skb = ERR_PTR(-EIO);
}
+ txr->tx_buf_ring[RING_TX(bp, txr->tx_prod)].skb = NULL;
+ /* Unwind any kTLS presync BDs */
+ if (unlikely(txr->tx_prod != start_prod)) {
+ tx_buf = &txr->tx_buf_ring[RING_TX(bp, start_prod)];
+ tx_buf->is_push = 0;
+ tx_buf->inline_data_bds = 0;
+ WRITE_ONCE(txr->tx_prod, start_prod);
+ }
if (txr->kick_pending)
bnxt_txr_db_kick(bp, txr, txr->tx_prod);
- txr->tx_buf_ring[RING_TX(bp, txr->tx_prod)].skb = NULL;
dev_core_stats_tx_dropped_inc(dev);
return NETDEV_TX_OK;
}
diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.h b/drivers/net/ethernet/broadcom/bnxt/bnxt.h
index 500bb9171274..339f5bdf2f20 100644
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.h
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.h
@@ -1191,6 +1191,10 @@ struct bnxt_cmn_sw_stats {
enum bnxt_ktls_data_counters {
BNXT_KTLS_TX_PKTS = 0,
BNXT_KTLS_TX_BYTES,
+ BNXT_KTLS_TX_OOO_PKTS,
+ BNXT_KTLS_TX_OOO_FALLBACK_NO_SYNC,
+ BNXT_KTLS_TX_OOO_FALLBACK_NO_SPACE,
+ BNXT_KTLS_TX_OOO_FALLBACK_NO_HDR,
BNXT_KTLS_MAX_DATA_COUNTERS,
};
diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c
index 9b2bc38236d7..8d2ee1976e1a 100644
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c
@@ -359,6 +359,10 @@ static const char *const bnxt_ring_drv_stats_arr[] = {
static const char *const bnxt_ktls_data_stats[] = {
[BNXT_KTLS_TX_PKTS] = "tx_tls_encrypted_packets",
[BNXT_KTLS_TX_BYTES] = "tx_tls_encrypted_bytes",
+ [BNXT_KTLS_TX_OOO_PKTS] = "tx_tls_ooo_packets",
+ [BNXT_KTLS_TX_OOO_FALLBACK_NO_SYNC] = "tx_tls_ooo_fallback_no_sync",
+ [BNXT_KTLS_TX_OOO_FALLBACK_NO_SPACE] = "tx_tls_ooo_fallback_no_space",
+ [BNXT_KTLS_TX_OOO_FALLBACK_NO_HDR] = "tx_tls_ooo_fallback_no_hdr",
};
/* kTLS control plane counter strings indexed by enum bnxt_ktls_ctrl_counters */
diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_ktls.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_ktls.c
index 298fb08e7b9b..4ed2d9d8e10c 100644
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_ktls.c
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_ktls.c
@@ -339,7 +339,8 @@ int bnxt_ktls_init(struct bnxt *bp)
return 0;
}
-static void bnxt_ktls_inc_tx_stats(struct bnxt_tx_ring_info *txr, u32 bytes)
+static void bnxt_ktls_inc_tx_stats(struct bnxt_tx_ring_info *txr, u32 bytes,
+ bool ooo)
{
struct bnxt_tls_sw_stats *ring_stats = txr->tls_stats;
@@ -347,6 +348,128 @@ static void bnxt_ktls_inc_tx_stats(struct bnxt_tx_ring_info *txr, u32 bytes)
return;
ring_stats->counters[BNXT_KTLS_TX_PKTS]++;
ring_stats->counters[BNXT_KTLS_TX_BYTES] += bytes;
+ if (ooo)
+ ring_stats->counters[BNXT_KTLS_TX_OOO_PKTS]++;
+}
+
+static void bnxt_ktls_pre_xmit(struct bnxt *bp, struct bnxt_tx_ring_info *txr,
+ u32 kid, struct crypto_prefix_cmd *pre_cmd)
+{
+ struct bnxt_sw_tx_bd *tx_buf;
+ struct tx_bd_presync *psbd;
+ u32 bd_space, space;
+ u8 *pcmd;
+ u16 prod;
+
+ prod = txr->tx_prod;
+ tx_buf = &txr->tx_buf_ring[RING_TX(bp, prod)];
+
+ psbd = (void *)&txr->tx_desc_ring[TX_RING(bp, prod)][TX_IDX(prod)];
+ psbd->tx_bd_len_flags_type = CRYPTO_PRESYNC_BD_CMD;
+ psbd->tx_bd_kid = cpu_to_le32(BNXT_KID_HW(kid));
+ psbd->tx_bd_opaque =
+ SET_TX_OPAQUE(bp, txr, prod, CRYPTO_PREFIX_CMD_BDS + 1);
+
+ prod = NEXT_TX(prod);
+ pcmd = (void *)&txr->tx_desc_ring[TX_RING(bp, prod)][TX_IDX(prod)];
+ bd_space = TX_DESC_CNT - TX_IDX(prod);
+ space = bd_space * sizeof(struct tx_bd);
+ if (space >= CRYPTO_PREFIX_CMD_SIZE) {
+ memcpy(pcmd, pre_cmd, CRYPTO_PREFIX_CMD_SIZE);
+ prod += CRYPTO_PREFIX_CMD_BDS;
+ } else {
+ memcpy(pcmd, pre_cmd, space);
+ prod += bd_space;
+ pcmd = (void *)&txr->tx_desc_ring[TX_RING(bp, prod)][TX_IDX(prod)];
+ memcpy(pcmd, (u8 *)pre_cmd + space,
+ CRYPTO_PREFIX_CMD_SIZE - space);
+ prod += CRYPTO_PREFIX_CMD_BDS - bd_space;
+ }
+ txr->tx_prod = prod;
+ tx_buf->is_push = 1;
+ /* Minus 1 since the header psbd is a single entry short BD */
+ tx_buf->inline_data_bds = CRYPTO_PREFIX_CMD_BDS - 1;
+}
+
+static int bnxt_ktls_tx_ooo(struct bnxt *bp, struct bnxt_tx_ring_info *txr,
+ struct sk_buff *skb, u32 payload_len, u32 seq,
+ struct tls_context *tls_ctx)
+{
+ struct bnxt_tls_sw_stats *ring_stats = txr->tls_stats;
+ struct tls_offload_context_tx *tx_tls_ctx;
+ struct bnxt_ktls_offload_ctx_tx *kctx_tx;
+ u32 hdr_tcp_seq, end_seq, total_bds;
+ struct crypto_prefix_cmd pcmd = {};
+ struct tls_record_info *record;
+ unsigned long flags;
+ bool fwd = false;
+ __le64 le_rec_sn;
+ u64 rec_sn;
+ u8 *hdr;
+ int rc;
+
+ tx_tls_ctx = tls_offload_ctx_tx(tls_ctx);
+ kctx_tx = bnxt_get_ktls_ctx_tx(tls_ctx);
+ end_seq = seq + skb->len - skb_tcp_all_headers(skb);
+ if (unlikely(after(seq, kctx_tx->tcp_seq_no) ||
+ after(end_seq, kctx_tx->tcp_seq_no))) {
+ fwd = true;
+ pcmd.flags = CRYPTO_PREFIX_CMD_FLAGS_UPDATE_IN_ORDER_VAR_LE;
+ }
+
+ spin_lock_irqsave(&tx_tls_ctx->lock, flags);
+ record = tls_get_record(tx_tls_ctx, seq, &rec_sn);
+ if (!record || !record->num_frags) {
+ rc = -EPROTO;
+ ring_stats->counters[BNXT_KTLS_TX_OOO_FALLBACK_NO_SYNC]++;
+ goto unlock_exit;
+ }
+ hdr_tcp_seq = tls_record_start_seq(record);
+ hdr = skb_frag_address_safe(&record->frags[0]);
+
+ total_bds = CRYPTO_PRESYNC_BDS + skb_shinfo(skb)->nr_frags + 2;
+ if (bnxt_tx_avail(bp, txr) < total_bds) {
+ rc = -ENOSPC;
+ ring_stats->counters[BNXT_KTLS_TX_OOO_FALLBACK_NO_SPACE]++;
+ goto unlock_exit;
+ }
+
+ if (before(record->end_seq - tls_ctx->prot_info.tag_size,
+ seq + payload_len)) {
+ /* retransmission includes tag bytes */
+ rc = -EOPNOTSUPP;
+ goto unlock_exit;
+ }
+ pcmd.header_tcp_seq_num = cpu_to_le32(hdr_tcp_seq);
+ pcmd.start_tcp_seq_num = cpu_to_le32(seq);
+ pcmd.end_tcp_seq_num = cpu_to_le32(seq + payload_len - 1);
+ if (tls_ctx->prot_info.version == TLS_1_2_VERSION) {
+ u32 nonce_bytes = tls_ctx->prot_info.iv_size;
+ u32 retrans_off = seq - hdr_tcp_seq;
+
+ if (!hdr) {
+ rc = -ENOBUFS;
+ ring_stats->counters[BNXT_KTLS_TX_OOO_FALLBACK_NO_HDR]++;
+ goto unlock_exit;
+ }
+ if (retrans_off > 5 && retrans_off < 5 + nonce_bytes)
+ nonce_bytes = retrans_off - 5;
+ memcpy(pcmd.explicit_nonce, hdr + 5, nonce_bytes);
+ }
+ le_rec_sn = cpu_to_le64(rec_sn);
+ memcpy(&pcmd.record_seq_num[0], &le_rec_sn, sizeof(le_rec_sn));
+
+ rc = 0;
+ bnxt_ktls_pre_xmit(bp, txr, kctx_tx->kid, &pcmd);
+
+ if (fwd) {
+ kctx_tx->next_tcp_seq_no = end_seq;
+ kctx_tx->pending_fwd = 1;
+ }
+
+unlock_exit:
+ spin_unlock_irqrestore(&tx_tls_ctx->lock, flags);
+ return rc;
}
struct sk_buff *bnxt_ktls_xmit(struct bnxt *bp, struct bnxt_tx_ring_info *txr,
@@ -357,6 +480,7 @@ struct sk_buff *bnxt_ktls_xmit(struct bnxt *bp, struct bnxt_tx_ring_info *txr,
struct bnxt_ktls_offload_ctx_tx *kctx_tx;
struct tls_context *tls_ctx;
u32 seq, payload_len;
+ int rc;
if (!IS_ENABLED(CONFIG_TLS_DEVICE) || !ktls ||
!tls_is_skb_tx_device_offloaded(skb))
@@ -375,14 +499,25 @@ struct sk_buff *bnxt_ktls_xmit(struct bnxt *bp, struct bnxt_tx_ring_info *txr,
*/
kctx_tx->next_tcp_seq_no = seq + payload_len;
kctx_tx->pending_bytes = payload_len;
+ kctx_tx->pending_ooo = 0;
+ kctx_tx->pending_fwd = 1;
*kid = BNXT_KID_HW(kctx_tx->kid);
*kctx_tx_p = kctx_tx;
*lflags |= cpu_to_le32(TX_BD_FLAGS_CRYPTO_EN |
BNXT_TX_KID_LO(*kid));
} else {
- skb = tls_encrypt_skb(skb);
- if (!skb)
- return NULL;
+ kctx_tx->pending_fwd = 0;
+ rc = bnxt_ktls_tx_ooo(bp, txr, skb, payload_len, seq, tls_ctx);
+ if (rc)
+ return tls_encrypt_skb(skb);
+
+ kctx_tx->pending_bytes = payload_len;
+ kctx_tx->pending_ooo = 1;
+ *kid = BNXT_KID_HW(kctx_tx->kid);
+ *kctx_tx_p = kctx_tx;
+ *lflags |= cpu_to_le32(TX_BD_FLAGS_CRYPTO_EN |
+ BNXT_TX_KID_LO(*kid));
+ return skb;
}
return skb;
}
@@ -392,8 +527,13 @@ void bnxt_ktls_xmit_commit(struct bnxt_tx_ring_info *txr,
{
if (!kctx_tx)
return;
- kctx_tx->tcp_seq_no = kctx_tx->next_tcp_seq_no;
- bnxt_ktls_inc_tx_stats(txr, kctx_tx->pending_bytes);
+ if (kctx_tx->pending_fwd)
+ kctx_tx->tcp_seq_no = kctx_tx->next_tcp_seq_no;
+ bnxt_ktls_inc_tx_stats(txr, kctx_tx->pending_bytes,
+ kctx_tx->pending_ooo);
+ kctx_tx->pending_bytes = 0;
+ kctx_tx->pending_fwd = 0;
+ kctx_tx->pending_ooo = 0;
}
int bnxt_ktls_alloc_tx_ring_stats(struct bnxt *bp, struct bnxt_tx_ring_info *txr)
diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_ktls.h b/drivers/net/ethernet/broadcom/bnxt/bnxt_ktls.h
index 1c935e0d413d..40b94bbf5a38 100644
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_ktls.h
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_ktls.h
@@ -43,6 +43,8 @@ struct bnxt_ktls_offload_ctx_tx {
u32 next_tcp_seq_no;/* staged tcp seq no */
u32 kid;
u32 pending_bytes; /* staged payload bytes */
+ u32 pending_fwd:1;
+ u32 pending_ooo:1;
};
struct bnxt_ktls_tx_driver_state {
--
2.51.0
^ permalink raw reply related [flat|nested] 16+ messages in thread
end of thread, other threads:[~2026-06-14 7:25 UTC | newest]
Thread overview: 16+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-14 7:23 [PATCH net-next v3 00/15] bnxt_en: Add kTLS TX offload support Michael Chan
2026-06-14 7:23 ` [PATCH net-next v3 01/15] bnxt_en: Add Midpath channel information Michael Chan
2026-06-14 7:23 ` [PATCH net-next v3 02/15] bnxt_en: Account for the MPC TX and CP rings Michael Chan
2026-06-14 7:23 ` [PATCH net-next v3 03/15] bnxt_en: Set default MPC ring count Michael Chan
2026-06-14 7:23 ` [PATCH net-next v3 04/15] bnxt_en: Rename xdp_tx_lock to tx_lock Michael Chan
2026-06-14 7:23 ` [PATCH net-next v3 05/15] bnxt_en: Allocate and free MPC software structures Michael Chan
2026-06-14 7:23 ` [PATCH net-next v3 06/15] bnxt_en: Allocate and free MPC channels from firmware Michael Chan
2026-06-14 7:23 ` [PATCH net-next v3 07/15] bnxt_en: Allocate crypto structure and backing store Michael Chan
2026-06-14 7:24 ` [PATCH net-next v3 08/15] bnxt_en: Reserve crypto RX and TX key contexts on a PF Michael Chan
2026-06-14 7:24 ` [PATCH net-next v3 09/15] bnxt_en: Add infrastructure for crypto key context IDs Michael Chan
2026-06-14 7:24 ` [PATCH net-next v3 10/15] bnxt_en: Add MPC transmit and completion functions Michael Chan
2026-06-14 7:24 ` [PATCH net-next v3 11/15] bnxt_en: Add crypto MPC transmit/completion infrastructure Michael Chan
2026-06-14 7:24 ` [PATCH net-next v3 12/15] bnxt_en: Support kTLS TX offload by implementing .tls_dev_add/del() Michael Chan
2026-06-14 7:24 ` [PATCH net-next v3 13/15] bnxt_en: Implement kTLS TX normal path Michael Chan
2026-06-14 7:24 ` [PATCH net-next v3 14/15] bnxt_en: Add support for inline transmit BDs Michael Chan
2026-06-14 7:24 ` [PATCH net-next v3 15/15] bnxt_en: Add kTLS retransmission support Michael Chan
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox