Public bug reported:
Summary:
Align Kernel IPsec Full offload implementation in the DPU to the upstream Full
offload in all components: OFED, Strongswan, etc.
This is in order for DPU Kernel IPsec to include policy offload and be fully
aligned to what CX Kernel customers will use.
How to test:
Host 1:
/opt/mellanox/iproute2/sbin/devlink dev eswitch set pci/0000:03:00.0 mode legacy
echo 'dmfs' >
/sys/bus/pci/devices/0000:03:00.0/net/p0/compat/devlink/steering_mode
echo 'full' > /sys/class/net/p0/compat/devlink/ipsec_mode
/opt/mellanox/iproute2/sbin/devlink dev eswitch set pci/0000:03:00.0 mode
switchdev
BF on host 1:
/opt/mellanox/iproute2/sbin/ip xfrm policy add src 196.234.181.165 dst
196.234.182.166 dir out tmpl src 196.234.181.165/16 dst 196.234.182.166/16
proto esp reqid 0xefa83812 mode transport priority 10
/opt/mellanox/iproute2/sbin/ip xfrm policy add src 196.234.182.166 dst
196.234.181.165 dir in tmpl src 196.234.182.166/16 dst 196.234.181.165/16 proto
esp reqid 0x63a7db74 mode transport priority 10
/opt/mellanox/iproute2/sbin/ip xfrm policy add src 196.234.182.166 dst
196.234.181.165 dir fwd tmpl src 196.234.182.166/16 dst 196.234.181.165/16
proto esp reqid 0x63a7db74 mode transport priority 10
/opt/mellanox/iproute2/sbin/ip xfrm state add src 196.234.181.165/16 dst
196.234.182.166/16 proto esp spi 0xefa83812 reqid 0xefa83812 mode transport
aead 'rfc4106(gcm(aes))' 0xe2fe3857301d8f72b5d71d295a462ef21868e407 128 offload
packet dev p0 dir out sel src 196.234.181.165/16 dst 196.234.182.166/16 flag
esn replay-window 32
/opt/mellanox/iproute2/sbin/ip xfrm state add src 196.234.182.166/16 dst
196.234.181.165/16 proto esp spi 0x63a7db74 reqid 0x63a7db74 mode transport
aead 'rfc4106(gcm(aes))' 0xe916c4d0db1886e8c877b023e8cebef53b4d2d0f 128 offload
packet dev p0 dir in sel src 196.234.182.166/16 dst 196.234.181.165/16 flag esn
replay-window 32
Start OVS and set following configure on BF:
/usr/bin/ovs-vsctl set Open_vSwitch . other_config:hw-offload=true
/usr/bin/ovs-vsctl set Open_vSwitch . other_config:max-idle=300000
Host2:
/opt/mellanox/iproute2/sbin/devlink dev eswitch set pci/0000:03:00.1 mode legacy
echo 'dmfs' >
/sys/bus/pci/devices/0000:03:00.1/net/p1/compat/devlink/steering_mode
echo 'full' > /sys/class/net/p1/compat/devlink/ipsec_mode
/opt/mellanox/iproute2/sbin/devlink dev eswitch set pci/0000:03:00.1 mode
switchdev
BF on host 2:
/opt/mellanox/iproute2/sbin/ip xfrm policy add src 196.234.182.166 dst
196.234.181.165 dir out tmpl src 196.234.182.166/16 dst 196.234.181.165/16
proto esp reqid 0xefa83812 mode transport priority 10
/opt/mellanox/iproute2/sbin/ip xfrm policy add src 196.234.181.165 dst
196.234.182.166 dir in tmpl src 196.234.181.165/16 dst 196.234.182.166/16 proto
esp reqid 0x63a7db74 mode transport priority 10
/opt/mellanox/iproute2/sbin/ip xfrm policy add src 196.234.181.165 dst
196.234.182.166 dir fwd tmpl src 196.234.181.165/16 dst 196.234.182.166/16
proto esp reqid 0x63a7db74 mode transport priority 10
/opt/mellanox/iproute2/sbin/ip xfrm state add src 196.234.181.165 dst
196.234.182.166 proto esp spi 0xefa83812 reqid 0xefa83812 mode transport aead
'rfc4106(gcm(aes))' 0xe2fe3857301d8f72b5d71d295a462ef21868e407 128 offload
packet dev p0 dir out sel src 196.234.181.165/16 dst 196.234.182.166/16 flag
esn replay-window 32
/opt/mellanox/iproute2/sbin/ip xfrm state add src 196.234.181.165 dst
196.234.182.166 proto esp spi 0x63a7db74 reqid 0x63a7db74 mode transport aead
'rfc4106(gcm(aes))' 0xe916c4d0db1886e8c877b023e8cebef53b4d2d0f 128 offload
packet dev p0 dir in sel src 196.234.181.165/16 dst 196.234.182.166/16 flag esn
replay-window 32
Start OVS and set following configure on BF:
/usr/bin/ovs-vsctl set Open_vSwitch . other_config:hw-offload=true
/usr/bin/ovs-vsctl set Open_vSwitch . other_config:max-idle=300000
Send the traffic between host 1 and host 2 and check IPsec counters in
"ethtool -S" statistics on both BF.
How to fix:
Need to backport a series of xfrm patches into BlueField 5.15 kernel, from 6.0
upstream kernel.
Patches needed for 5.15 kernel:
afe9e47 xfrm: fix conflict for netdev and tx stats
6aff54d xfrm: don't skip free of empty state in acquire policy
692fecb xfrm: delete offloaded policy
91b6276 xfrm: Support UDP encapsulation in packet offload mode
69e168a xfrm: add missed call to delete offloaded policies
9724724 xfrm: release all offloaded policy memory
e57b7ec xfrm: don't require advance ESN callback for packet offload
9e98488 xfrm: copy_to_user_state fetch offloaded SA packets/bytes statistics
4778c10 xfrm: add new device offload acquire flag
2601c94 netlink: provide an ability to set default extack message
b4951d5 netlink: add support for formatted extack messages
b5dd0fa xfrm: extend add state callback to set failure reason
326a004 xfrm: extend add policy callback to set failure reason
40b173d1 xfrm: document IPsec packet offload mode
b1737ae xfrm: add support to HW update soft and hard limits
cad4cd7 xfrm: speed-up lookup of HW policies
b347fe7 xfrm: add TX datapath support for IPsec packet offload mode
cfcc50f xfrm: add an interface to offload policy
2f7e5f7 xfrm: propagate extack to all netlink doit handlers
8d459bb xfrm: add extack to verify_policy_type
3563725 xfrm: allow state packet offload mode
207abea xfrm: add extack support to xfrm_dev_state_add
facf282 xfrm: add new packet offload flag
6f12533 xfrm: Remove not-used total variable
46bd9eb xfrm: drop not needed flags variable in XFRM offload struct
bbadbe7 xfrm: store and rely on direction to construct offload flags
c01b278 xfrm: rename xfrm_state_offload struct to allow reuse
f337706 xfrm: delete not used number of external headers
db0cee8 Revert "UBUNTU: SAUCE: net/xfrm: Fix XFRM flags validity check"
57995bb Revert "UBUNTU: SAUCE: net/xfrm: IPsec full offload support for
lifetime limit"
244050a Revert "UBUNTU: SAUCE: net/xfrm: Add support for xfrm full offload"
** Affects: linux-bluefield (Ubuntu)
Importance: Undecided
Status: New
** Description changed:
Summary:
Align Kernel IPsec Full offload implementation in the DPU to the upstream Full
offload in all components: OFED, Strongswan, etc.
This is in order for DPU Kernel IPsec to include policy offload and be fully
aligned to what CX Kernel customers will use.
How to test:
Host 1:
/opt/mellanox/iproute2/sbin/devlink dev eswitch set pci/0000:03:00.0 mode
legacy
echo 'dmfs' >
/sys/bus/pci/devices/0000:03:00.0/net/p0/compat/devlink/steering_mode
echo 'full' > /sys/class/net/p0/compat/devlink/ipsec_mode
/opt/mellanox/iproute2/sbin/devlink dev eswitch set pci/0000:03:00.0 mode
switchdev
BF on host 1:
/opt/mellanox/iproute2/sbin/ip xfrm policy add src 196.234.181.165 dst
196.234.182.166 dir out tmpl src 196.234.181.165/16 dst 196.234.182.166/16
proto esp reqid 0xefa83812 mode transport priority 10
/opt/mellanox/iproute2/sbin/ip xfrm policy add src 196.234.182.166 dst
196.234.181.165 dir in tmpl src 196.234.182.166/16 dst 196.234.181.165/16 proto
esp reqid 0x63a7db74 mode transport priority 10
/opt/mellanox/iproute2/sbin/ip xfrm policy add src 196.234.182.166 dst
196.234.181.165 dir fwd tmpl src 196.234.182.166/16 dst 196.234.181.165/16
proto esp reqid 0x63a7db74 mode transport priority 10
/opt/mellanox/iproute2/sbin/ip xfrm state add src 196.234.181.165/16 dst
196.234.182.166/16 proto esp spi 0xefa83812 reqid 0xefa83812 mode transport
aead 'rfc4106(gcm(aes))' 0xe2fe3857301d8f72b5d71d295a462ef21868e407 128 offload
packet dev p0 dir out sel src 196.234.181.165/16 dst 196.234.182.166/16 flag
esn replay-window 32
/opt/mellanox/iproute2/sbin/ip xfrm state add src 196.234.182.166/16 dst
196.234.181.165/16 proto esp spi 0x63a7db74 reqid 0x63a7db74 mode transport
aead 'rfc4106(gcm(aes))' 0xe916c4d0db1886e8c877b023e8cebef53b4d2d0f 128 offload
packet dev p0 dir in sel src 196.234.182.166/16 dst 196.234.181.165/16 flag esn
replay-window 32
Start OVS and set following configure on BF:
/usr/bin/ovs-vsctl set Open_vSwitch . other_config:hw-offload=true
/usr/bin/ovs-vsctl set Open_vSwitch . other_config:max-idle=300000
-
+
Host2:
/opt/mellanox/iproute2/sbin/devlink dev eswitch set pci/0000:03:00.1 mode
legacy
echo 'dmfs' >
/sys/bus/pci/devices/0000:03:00.1/net/p1/compat/devlink/steering_mode
echo 'full' > /sys/class/net/p1/compat/devlink/ipsec_mode
/opt/mellanox/iproute2/sbin/devlink dev eswitch set pci/0000:03:00.1 mode
switchdev
BF on host 2:
/opt/mellanox/iproute2/sbin/ip xfrm policy add src 196.234.182.166 dst
196.234.181.165 dir out tmpl src 196.234.182.166/16 dst 196.234.181.165/16
proto esp reqid 0xefa83812 mode transport priority 10
/opt/mellanox/iproute2/sbin/ip xfrm policy add src 196.234.181.165 dst
196.234.182.166 dir in tmpl src 196.234.181.165/16 dst 196.234.182.166/16 proto
esp reqid 0x63a7db74 mode transport priority 10
/opt/mellanox/iproute2/sbin/ip xfrm policy add src 196.234.181.165 dst
196.234.182.166 dir fwd tmpl src 196.234.181.165/16 dst 196.234.182.166/16
proto esp reqid 0x63a7db74 mode transport priority 10
/opt/mellanox/iproute2/sbin/ip xfrm state add src 196.234.181.165 dst
196.234.182.166 proto esp spi 0xefa83812 reqid 0xefa83812 mode transport aead
'rfc4106(gcm(aes))' 0xe2fe3857301d8f72b5d71d295a462ef21868e407 128 offload
packet dev p0 dir out sel src 196.234.181.165/16 dst 196.234.182.166/16 flag
esn replay-window 32
/opt/mellanox/iproute2/sbin/ip xfrm state add src 196.234.181.165 dst
196.234.182.166 proto esp spi 0x63a7db74 reqid 0x63a7db74 mode transport aead
'rfc4106(gcm(aes))' 0xe916c4d0db1886e8c877b023e8cebef53b4d2d0f 128 offload
packet dev p0 dir in sel src 196.234.181.165/16 dst 196.234.182.166/16 flag esn
replay-window 32
Start OVS and set following configure on BF:
/usr/bin/ovs-vsctl set Open_vSwitch . other_config:hw-offload=true
/usr/bin/ovs-vsctl set Open_vSwitch . other_config:max-idle=300000
Send the traffic between host 1 and host 2 and check IPsec counters in
"ethtool -S" statistics on both BF.
How to fix:
Need to backport a series of xfrm patches into BlueField 5.15 kernel, from
6.0 upstream kernel.
Patches needed for 5.15 kernel:
+ afe9e47 xfrm: fix conflict for netdev and tx stats
+ 6aff54d xfrm: don't skip free of empty state in acquire policy
+ 692fecb xfrm: delete offloaded policy
+ 91b6276 xfrm: Support UDP encapsulation in packet offload mode
+ 69e168a xfrm: add missed call to delete offloaded policies
+ 9724724 xfrm: release all offloaded policy memory
+ e57b7ec xfrm: don't require advance ESN callback for packet offload
+ 9e98488 xfrm: copy_to_user_state fetch offloaded SA packets/bytes statistics
+ 4778c10 xfrm: add new device offload acquire flag
+ 2601c94 netlink: provide an ability to set default extack message
+ b4951d5 netlink: add support for formatted extack messages
+ b5dd0fa xfrm: extend add state callback to set failure reason
+ 326a004 xfrm: extend add policy callback to set failure reason
+ 40b173d1 xfrm: document IPsec packet offload mode
+ b1737ae xfrm: add support to HW update soft and hard limits
+ cad4cd7 xfrm: speed-up lookup of HW policies
+ b347fe7 xfrm: add TX datapath support for IPsec packet offload mode
+ cfcc50f xfrm: add an interface to offload policy
+ 2f7e5f7 xfrm: propagate extack to all netlink doit handlers
+ 8d459bb xfrm: add extack to verify_policy_type
+ 3563725 xfrm: allow state packet offload mode
+ 207abea xfrm: add extack support to xfrm_dev_state_add
+ facf282 xfrm: add new packet offload flag
+ 6f12533 xfrm: Remove not-used total variable
+ 46bd9eb xfrm: drop not needed flags variable in XFRM offload struct
+ bbadbe7 xfrm: store and rely on direction to construct offload flags
+ c01b278 xfrm: rename xfrm_state_offload struct to allow reuse
+ f337706 xfrm: delete not used number of external headers
+ db0cee8 Revert "UBUNTU: SAUCE: net/xfrm: Fix XFRM flags validity check"
+ 57995bb Revert "UBUNTU: SAUCE: net/xfrm: IPsec full offload support for
lifetime limit"
+ 244050a Revert "UBUNTU: SAUCE: net/xfrm: Add support for xfrm full offload"
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-bluefield in Ubuntu.
https://bugs.launchpad.net/bugs/2034578
Title:
Support IPSEC full offload implementation
Status in linux-bluefield package in Ubuntu:
New
Bug description:
Summary:
Align Kernel IPsec Full offload implementation in the DPU to the upstream Full
offload in all components: OFED, Strongswan, etc.
This is in order for DPU Kernel IPsec to include policy offload and be fully
aligned to what CX Kernel customers will use.
How to test:
Host 1:
/opt/mellanox/iproute2/sbin/devlink dev eswitch set pci/0000:03:00.0 mode
legacy
echo 'dmfs' >
/sys/bus/pci/devices/0000:03:00.0/net/p0/compat/devlink/steering_mode
echo 'full' > /sys/class/net/p0/compat/devlink/ipsec_mode
/opt/mellanox/iproute2/sbin/devlink dev eswitch set pci/0000:03:00.0 mode
switchdev
BF on host 1:
/opt/mellanox/iproute2/sbin/ip xfrm policy add src 196.234.181.165 dst
196.234.182.166 dir out tmpl src 196.234.181.165/16 dst 196.234.182.166/16
proto esp reqid 0xefa83812 mode transport priority 10
/opt/mellanox/iproute2/sbin/ip xfrm policy add src 196.234.182.166 dst
196.234.181.165 dir in tmpl src 196.234.182.166/16 dst 196.234.181.165/16 proto
esp reqid 0x63a7db74 mode transport priority 10
/opt/mellanox/iproute2/sbin/ip xfrm policy add src 196.234.182.166 dst
196.234.181.165 dir fwd tmpl src 196.234.182.166/16 dst 196.234.181.165/16
proto esp reqid 0x63a7db74 mode transport priority 10
/opt/mellanox/iproute2/sbin/ip xfrm state add src 196.234.181.165/16 dst
196.234.182.166/16 proto esp spi 0xefa83812 reqid 0xefa83812 mode transport
aead 'rfc4106(gcm(aes))' 0xe2fe3857301d8f72b5d71d295a462ef21868e407 128 offload
packet dev p0 dir out sel src 196.234.181.165/16 dst 196.234.182.166/16 flag
esn replay-window 32
/opt/mellanox/iproute2/sbin/ip xfrm state add src 196.234.182.166/16 dst
196.234.181.165/16 proto esp spi 0x63a7db74 reqid 0x63a7db74 mode transport
aead 'rfc4106(gcm(aes))' 0xe916c4d0db1886e8c877b023e8cebef53b4d2d0f 128 offload
packet dev p0 dir in sel src 196.234.182.166/16 dst 196.234.181.165/16 flag esn
replay-window 32
Start OVS and set following configure on BF:
/usr/bin/ovs-vsctl set Open_vSwitch . other_config:hw-offload=true
/usr/bin/ovs-vsctl set Open_vSwitch . other_config:max-idle=300000
Host2:
/opt/mellanox/iproute2/sbin/devlink dev eswitch set pci/0000:03:00.1 mode
legacy
echo 'dmfs' >
/sys/bus/pci/devices/0000:03:00.1/net/p1/compat/devlink/steering_mode
echo 'full' > /sys/class/net/p1/compat/devlink/ipsec_mode
/opt/mellanox/iproute2/sbin/devlink dev eswitch set pci/0000:03:00.1 mode
switchdev
BF on host 2:
/opt/mellanox/iproute2/sbin/ip xfrm policy add src 196.234.182.166 dst
196.234.181.165 dir out tmpl src 196.234.182.166/16 dst 196.234.181.165/16
proto esp reqid 0xefa83812 mode transport priority 10
/opt/mellanox/iproute2/sbin/ip xfrm policy add src 196.234.181.165 dst
196.234.182.166 dir in tmpl src 196.234.181.165/16 dst 196.234.182.166/16 proto
esp reqid 0x63a7db74 mode transport priority 10
/opt/mellanox/iproute2/sbin/ip xfrm policy add src 196.234.181.165 dst
196.234.182.166 dir fwd tmpl src 196.234.181.165/16 dst 196.234.182.166/16
proto esp reqid 0x63a7db74 mode transport priority 10
/opt/mellanox/iproute2/sbin/ip xfrm state add src 196.234.181.165 dst
196.234.182.166 proto esp spi 0xefa83812 reqid 0xefa83812 mode transport aead
'rfc4106(gcm(aes))' 0xe2fe3857301d8f72b5d71d295a462ef21868e407 128 offload
packet dev p0 dir out sel src 196.234.181.165/16 dst 196.234.182.166/16 flag
esn replay-window 32
/opt/mellanox/iproute2/sbin/ip xfrm state add src 196.234.181.165 dst
196.234.182.166 proto esp spi 0x63a7db74 reqid 0x63a7db74 mode transport aead
'rfc4106(gcm(aes))' 0xe916c4d0db1886e8c877b023e8cebef53b4d2d0f 128 offload
packet dev p0 dir in sel src 196.234.181.165/16 dst 196.234.182.166/16 flag esn
replay-window 32
Start OVS and set following configure on BF:
/usr/bin/ovs-vsctl set Open_vSwitch . other_config:hw-offload=true
/usr/bin/ovs-vsctl set Open_vSwitch . other_config:max-idle=300000
Send the traffic between host 1 and host 2 and check IPsec counters in
"ethtool -S" statistics on both BF.
How to fix:
Need to backport a series of xfrm patches into BlueField 5.15 kernel, from
6.0 upstream kernel.
Patches needed for 5.15 kernel:
afe9e47 xfrm: fix conflict for netdev and tx stats
6aff54d xfrm: don't skip free of empty state in acquire policy
692fecb xfrm: delete offloaded policy
91b6276 xfrm: Support UDP encapsulation in packet offload mode
69e168a xfrm: add missed call to delete offloaded policies
9724724 xfrm: release all offloaded policy memory
e57b7ec xfrm: don't require advance ESN callback for packet offload
9e98488 xfrm: copy_to_user_state fetch offloaded SA packets/bytes statistics
4778c10 xfrm: add new device offload acquire flag
2601c94 netlink: provide an ability to set default extack message
b4951d5 netlink: add support for formatted extack messages
b5dd0fa xfrm: extend add state callback to set failure reason
326a004 xfrm: extend add policy callback to set failure reason
40b173d1 xfrm: document IPsec packet offload mode
b1737ae xfrm: add support to HW update soft and hard limits
cad4cd7 xfrm: speed-up lookup of HW policies
b347fe7 xfrm: add TX datapath support for IPsec packet offload mode
cfcc50f xfrm: add an interface to offload policy
2f7e5f7 xfrm: propagate extack to all netlink doit handlers
8d459bb xfrm: add extack to verify_policy_type
3563725 xfrm: allow state packet offload mode
207abea xfrm: add extack support to xfrm_dev_state_add
facf282 xfrm: add new packet offload flag
6f12533 xfrm: Remove not-used total variable
46bd9eb xfrm: drop not needed flags variable in XFRM offload struct
bbadbe7 xfrm: store and rely on direction to construct offload flags
c01b278 xfrm: rename xfrm_state_offload struct to allow reuse
f337706 xfrm: delete not used number of external headers
db0cee8 Revert "UBUNTU: SAUCE: net/xfrm: Fix XFRM flags validity check"
57995bb Revert "UBUNTU: SAUCE: net/xfrm: IPsec full offload support for
lifetime limit"
244050a Revert "UBUNTU: SAUCE: net/xfrm: Add support for xfrm full offload"
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux-bluefield/+bug/2034578/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
