From: Maxim Mikityanskiy
IPSEC offload needs to modify the eseg of the WQE that is being filled,
but it receives a pointer to the whole WQE. To make the contract
stricter, pass only the pointer to the eseg of that WQE. This commit is
preparation for the following refactoring of offloads in the
From: Florian Westphal
Date: Thu, 27 Jun 2019 17:12:42 +0200
> running the script on systems without netdevsim now prints:
>
> SKIP: ipsec_offload can't load netdevsim
>
> instead of error message & failed status.
>
> Signed-off-by: Florian Westphal
> ---
> Feel free to apply to -next, its n
running the script on systems without netdevsim now prints:
SKIP: ipsec_offload can't load netdevsim
instead of error message & failed status.
Signed-off-by: Florian Westphal
---
Feel free to apply to -next, its not a bug fix per se.
tools/testing/selftests/net/rtnetlink.sh | 16 ++--
From: Shannon Nelson
Add an add and a delete message for IPsec offload requests from
the VF. These call into the IPsec functions that can translate
the message buffer into a useful IPsec offload.
These new messages bump the mbox API version to 1.4.
Signed-off-by: Shannon Nelson
Tested-by
*/
#define IXGBE_ADVTXD_POPTS_SHIFT 8 /* Adv desc POPTS shift */
+#define IXGBE_ADVTXD_POPTS_IPSEC 0x0400 /* IPSec offload request */
#define IXGBE_ADVTXD_POPTS_IXSM(IXGBE_TXD_POPTS_IXSM << \
IXGBE_ADVTXD_POPTS_SHIFT)
#
From: Shannon Nelson
Add the IPsec offload support code. This is based off of the similar
code in ixgbe, but instead of writing the SA registers, the VF asks
the PF to setup the offload by sending the offload information to the
PF via the standard mailbox.
Signed-off-by: Shannon Nelson
Tested
From: Shannon Nelson
Add the IPsec initialization into the driver startup and
add the Rx and Tx processing hooks.
Signed-off-by: Shannon Nelson
Tested-by: Andrew Bowers
Signed-off-by: Jeff Kirsher
---
drivers/net/ethernet/intel/ixgbevf/defines.h | 2 +-
drivers/net/ethernet/intel/ixgbevf/e
From: Shannon Nelson
Add a private flag to expressly enable support for VF IPsec offload.
The VF will have to be "trusted" in order to use the hardware offload,
but because of the general concerns of managing VF access, we want to
be sure the user specifically is enabling the feature
> >> We should probably look at adding at least one patch to the set then
> >> that disables IPsec Tx offload if SR-IOV is enabled with VEB so that
> >> we don't end up breaking connections should a VF be migrated from a
> >> remote system to a local one that
nk we want to disallow
all Tx IPsec offload.
Maybe we can catch it in ixgbe_ipsec_offload_ok()? If it can find that
the dest mac is on the internal switch, perhaps it can NAK the Tx
offload? That would force the XFRM xmit code to do a regular SW encrypt
before sending the packet. I'll
ystem to a local one that it is connected to.
- Alex
The problem with this is that someone could set up an IPsec connection
on the PF for Tx and Rx use, then set num_vfs, start some VFs, and we
still can end up in the same place. I don't think we want to disallow
all Tx IPsec offlo
On Tue, Aug 14, 2018 at 10:10 AM Shannon Nelson
wrote:
>
> On 8/14/2018 8:30 AM, Alexander Duyck wrote:
> > On Mon, Aug 13, 2018 at 11:43 AM Shannon Nelson
> > wrote:
> >>
> >> This set of patches implements IPsec hardware offload for VF devices in
> >> Intel's 10Gbe x540 family of Ethernet devic
On 8/14/2018 8:30 AM, Alexander Duyck wrote:
On Mon, Aug 13, 2018 at 11:43 AM Shannon Nelson
wrote:
This set of patches implements IPsec hardware offload for VF devices in
Intel's 10Gbe x540 family of Ethernet devices.
[...]
So the one question I would have about this patch set is what ha
will need to add Tx SAs
> without the offload attribute.
>
> Given that we don't have Tx offload support, the benefit here is less
> than it could be, but is definitely still noticeable. For example, with
> informal iperf testing over a 10Gbps link, with full offload in a PF on
>
one side and a VF in a VM on the other side on a CPU with AES instructions:
Reference:
No IPsec: 9.4 Gbps
IPsec offload btwn two PFs: 9.2 Gbps
VF as the iperf receiver:
IPsec offload on PF, none on VF: 6.8 Gbps
IPsec offload on
IXGBE_ADVTXD_POPTS_IPSEC0x0400 /* IPSec offload request */
#define IXGBE_ADVTXD_POPTS_IXSM(IXGBE_TXD_POPTS_IXSM << \
IXGBE_ADVTXD_POPTS_SHIFT)
#define IXGBE_ADVTXD_POPTS_TXSM(IXGBE_TXD_POPTS_TXSM << \
diff --git a/drivers/net/et
Add an add and a delete message for IPsec offload requests from
the VF. These call into the ipsec functions that can translate
the message buffer into a useful IPsec offload.
These new messages bump the mbox API version to 1.4.
Signed-off-by: Shannon Nelson
---
drivers/net/ethernet/intel
Add a private flag to expressly enable support for VF IPsec offload.
The VF will have to be "trusted" in order to use the hardware offload,
but because of the general concerns of managing VF access, we want to
be sure the user specifically is enabling the feature.
This is likely a can
Add the ipsec offload support code. This is based off of the similar
code in ixgbe, but instead of writing the SA registers, the VF asks
the PF to setup the offload by sending the offload information to the
PF via the standard mailbox.
Signed-off-by: Shannon Nelson
---
drivers/net/ethernet
Add the ipsec initialization into the driver startup and
add the Rx and Tx processing hooks.
Signed-off-by: Shannon Nelson
---
drivers/net/ethernet/intel/ixgbevf/defines.h | 2 +-
drivers/net/ethernet/intel/ixgbevf/ethtool.c | 2 +
drivers/net/ethernet/intel/ixgbevf/ixgbevf.h |
On Tue, 26 Jun 2018 10:07:54 -0700, Shannon Nelson wrote:
> Implement the IPsec/XFRM offload API for testing.
>
> Signed-off-by: Shannon Nelson
> ---
> V2 - addressed formatting comments from Jakub Kicinski
> V3 - a couple more little xmas tree nits
Thank you! :)
Reviewed-by: Jakub Kicinski
d) {
+ netdev_err(dev, "Unsupported IPsec algorithm\n");
+ return -EINVAL;
+ }
+
+ if (xs->aead->alg_icv_len != NSIM_IPSEC_AUTH_BITS) {
+ netdev_err(dev, "IPsec offload requires %d bit
authentication\n",
+ NSI
ip addr add $srcip dev $dev
+ ip link set $dev up
+ if [ ! -d $sysfsd ] ; then
+ echo "FAIL: ipsec_offload can't create device $dev"
+ return 1
+ fi
+ if [ ! -f $sysfsf ] ; then
+ echo "FAIL: ipsec_offl
On Mon, 25 Jun 2018 16:41:35 -0700, Shannon Nelson wrote:
> Implement the IPsec/XFRM offload API for testing.
>
> Signed-off-by: Shannon Nelson
> ---
> V2 - addressed formatting comments from Jakub Kicinski
Thanks! One more comment below, otherwise:
Reviewed-by: Jakub Kicinski
> +static void
ip addr add $srcip dev $dev
+ ip link set $dev up
+ if [ ! -d $sysfsd ] ; then
+ echo "FAIL: ipsec_offload can't create device $dev"
+ return 1
+ fi
+ if [ ! -f $sysfsf ] ; then
+ echo "FAIL: ipsec_offl
ykey, u32 *mysalt)
+{
+ const char aes_gcm_name[] = "rfc4106(gcm(aes))";
+ struct net_device *dev = xs->xso.dev;
+ unsigned char *key_data;
+ char *alg_name = NULL;
+ int key_len;
+
+ if (!xs->aead) {
+ netdev_err(dev, "Unsuppo
ext lines dependent on it.
I know, but I'd really prefer you just followed the rule here.
> >> diff --git a/drivers/net/netdevsim/netdevsim.h
> >> b/drivers/net/netdevsim/netdevsim.h
> >> index 3a8581a..1708dee 100644
> >> --- a/drivers/net/netdevsim/netdevsim.
+
+ if (!xs->aead) {
+ netdev_err(dev, "Unsupported IPsec algorithm\n");
+ return -EINVAL;
+ }
+
+ if (xs->aead->alg_icv_len != NSIM_IPSEC_AUTH_BITS) {
+ netdev_err(dev, "IPsec offload requires %d bit
authentication\n",
*dev = xs->xso.dev;
+ unsigned char *key_data;
+ char *alg_name = NULL;
+ const char aes_gcm_name[] = "rfc4106(gcm(aes))";
+ int key_len;
reverse xmas tree please
+
+ if (!xs->aead) {
+ netdev_err(dev, "Unsupported IPse
tocol keys and salt to our own data tables. The
> + * 82599 family only supports the one algorithm.
82599 is a fine chip, it's not netdevsim tho? ;)
> + **/
> +static int nsim_ipsec_parse_proto_keys(struct xfrm_state *xs,
> + u32 *
] = "rfc4106(gcm(aes))";
+ int key_len;
+
+ if (!xs->aead) {
+ netdev_err(dev, "Unsupported IPsec algorithm\n");
+ return -EINVAL;
+ }
+
+ if (xs->aead->alg_icv_len != NSIM_IPSEC_AUTH_BITS) {
+ netdev_err(dev, &quo
ip addr add $srcip dev $dev
+ ip link set $dev up
+ if [ ! -d $sysfsd ] ; then
+ echo "FAIL: ipsec_offload can't create device $dev"
+ return 1
+ fi
+ if [ ! -f $sysfsf ] ; then
+ echo "FAIL: ipsec_offl
Hi Steffen,
While adding the ipsec-offload API to netdevsim I ran across an issue
with the use of x->xso.offload_handle that I think needs attention, and
would like your opinion before I try to address it.
The offload_handle is essentially an opaque magic cookie to be used by
the driver
From: Shannon Nelson
Fix things up to support TSO offload in conjunction
with IPsec hw offload. This raises throughput with
IPsec offload on to nearly line rate.
Signed-off-by: Shannon Nelson
Tested-by: Andrew Bowers
Signed-off-by: Jeff Kirsher
---
drivers/net/ethernet/intel/ixgbe
Fix things up to support TSO offload in conjunction
with IPsec hw offload. This raises throughput with
IPsec offload on to nearly line rate.
Signed-off-by: Shannon Nelson
---
v2 updates from Alex's comments:
- changed feature add from variable to #define
- fixed a reverse christmas tree
On 3/15/2018 3:03 PM, Alexander Duyck wrote:
On Thu, Mar 15, 2018 at 2:23 PM, Shannon Nelson
wrote:
Fix things up to support TSO offload in conjunction
with IPsec hw offload. This raises throughput with
IPsec offload on to nearly line rate.
Signed-off-by: Shannon Nelson
---
drivers/net
On Thu, Mar 15, 2018 at 2:23 PM, Shannon Nelson
wrote:
> Fix things up to support TSO offload in conjunction
> with IPsec hw offload. This raises throughput with
> IPsec offload on to nearly line rate.
>
> Signed-off-by: Shannon Nelson
> ---
> drivers/net/ethernet/inte
Fix things up to support TSO offload in conjunction
with IPsec hw offload. This raises throughput with
IPsec offload on to nearly line rate.
Signed-off-by: Shannon Nelson
---
drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c | 7 +--
drivers/net/ethernet/intel/ixgbe/ixgbe_main.c | 25
From: Shannon Nelson
If the skb has a security association referenced in the skb, then
set up the Tx descriptor with the ipsec offload bits. While we're
here, we fix an oddly named field in the context descriptor struct.
Signed-off-by: Shannon Nelson
Tested-by: Andrew Bowers
Signed-o
ipsec *ipsec = adapter->ipsec;
+ struct ixgbe_hw *hw = &adapter->hw;
+ int checked, match, first;
+ u16 sa_idx;
+ int ret;
+ int i;
+
+ if (xs->id.proto != IPPROTO_ESP && xs->id.proto != IPPROTO_AH) {
+ netdev_err(dev, "Unsupported
From: Shannon Nelson
If the chip sees and decrypts an ipsec offload, set up the skb
sp pointer with the ralated SA info. Since the chip is rude
enough to keep to itself the table index it used for the
decryption, we have to do our own table lookup, using the
hash for speed.
Signed-off-by
From: Shannon Nelson
With all the support code in place we can now link in the ipsec
offload operations and set the ESP feature flag for the XFRM
subsystem to see.
Signed-off-by: Shannon Nelson
Tested-by: Andrew Bowers
Signed-off-by: Jeff Kirsher
---
drivers/net/ethernet/intel/ixgbe
From: Shannon Nelson
Add a simple statistic to count the ipsec offloads.
Signed-off-by: Shannon Nelson
Tested-by: Andrew Bowers
Signed-off-by: Jeff Kirsher
---
drivers/net/ethernet/intel/ixgbe/ixgbe.h | 2 ++
drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c | 2 ++
drivers/net/ethern
Fix up the Rx path to watch for and decode ipv6 headers that might be
carrying ipsec headers. To do so, we first change the search function
to be able to take both ipv4 and ipv6 addresses from a pointer, and add
an argument that tells which we are using. Then in the Rx handler we
add a check for
These are a couple of tweaks I found while making sure that the ipsec
offload would work on SPARC.
Shannon Nelson (2):
ixgbe: ipsec offload for sparc
ixgbe: use compiler constants in Rx path
drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c | 14 +++---
1 file changed, 7 insertions
Add a couple of byteswaps needed to make the ipsec offload
work on big-endian SPARC platforms.
Signed-off-by: Shannon Nelson
---
drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c
On 12/22/2017 12:24 AM, Yanjun Zhu wrote:
On 2017/12/20 8:00, Shannon Nelson wrote:
If the skb has a security association referenced in the skb, then
set up the Tx descriptor with the ipsec offload bits. While we're
here, we fix an oddly named field in the context descriptor s
On 2017/12/20 8:00, Shannon Nelson wrote:
If the skb has a security association referenced in the skb, then
set up the Tx descriptor with the ipsec offload bits. While we're
here, we fix an oddly named field in the context descriptor struct.
v3: added ifdef CONFIG_XFRM_OFFLOAD check a
Don't try to set up ipsec offload on the oldest part of
the ixgbe family.
Suggested-by: Yanjun Zhu
Signed-off-by: Shannon Nelson
---
drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c
b/dr
ipsec feature is based on x540, x550, 82599. But
this ixgbe driver
will also work with 82598.
Does this ipsec feature also work with 82598?
Sorry. I mean, after these ipsec patches are applied, whether ipsec
offload enabled or not,
can this ixgbe driver still work well with 82598?
Hmm... I
82599. But
this ixgbe driver
will also work with 82598.
Does this ipsec feature also work with 82598?
Sorry. I mean, after these ipsec patches are applied, whether ipsec
offload enabled or not,
can this ixgbe driver still work well with 82598?
Zhu Yanjun
Thanks a lot.
Zhu Yanjun
These pa
work with 82598.
Does this ipsec feature also work with 82598?
Thanks a lot.
Zhu Yanjun
These patches apply to net-next v4.14 as well as Jeff Kirsher's next-queue
v4.15-rc1-206-ge47375b.
The ixgbe NICs support ipsec offload for 1024 Rx and 1024 Tx Security
Associations (SAs), using up to 1
ixgbe_xfrmdev_ops = {
+ .xdo_dev_state_add = ixgbe_ipsec_add_sa,
+ .xdo_dev_state_delete = ixgbe_ipsec_del_sa,
+};
+
This struct is only declared if XFRM_OFFLOAD is selected. What is
selecting it for ixgbe driver?
mlx5 driver has an extra option for ipsec offload and it then does
'depen
tatic const struct xfrmdev_ops ixgbe_xfrmdev_ops = {
> > > + .xdo_dev_state_add = ixgbe_ipsec_add_sa,
> > > + .xdo_dev_state_delete = ixgbe_ipsec_del_sa,
> > > +};
> > > +
> >
> > This struct is only declared if XFRM_OFFLOAD is selected. What is
> > selecting it fo
,
+};
+
This struct is only declared if XFRM_OFFLOAD is selected. What is
selecting it for ixgbe driver?
mlx5 driver has an extra option for ipsec offload and it then does
'depends on XFRM_OFFLOAD'
Marcelo
I didn't bother putting a 'depends' item in the ixgbe's Kconfig
ed if XFRM_OFFLOAD is selected. What is
selecting it for ixgbe driver?
mlx5 driver has an extra option for ipsec offload and it then does
'depends on XFRM_OFFLOAD'
Marcelo
With all the support code in place we can now link in the ipsec
offload operations and set the ESP feature flag for the XFRM
subsystem to see.
v3: added ifdef CONFIG_XFRM_OFFLOAD in ixgbe_features_check
v2: added the xdo_dev_state_free callback to make XFRM happy
changed use of
This is an implementation of the ipsec hardware offload feature for
the ixgbe driver and Intel's 10Gbe series NICs: x540, x550, 82599.
These patches apply to net-next v4.14 as well as Jeff Kirsher's next-queue
v4.15-rc1-206-ge47375b.
The ixgbe NICs support ipsec offload for 1024 Rx a
Add a simple statistic to count the ipsec offloads.
v2: change per ring counter to adapter rx and tx counters
move tx_ipsec count to the tx clean code
Signed-off-by: Shannon Nelson
---
drivers/net/ethernet/intel/ixgbe/ixgbe.h | 2 ++
drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c
If the chip sees and decrypts an ipsec offload, set up the skb
sp pointer with the ralated SA info. Since the chip is rude
enough to keep to itself the table index it used for the
decryption, we have to do our own table lookup, using the
hash for speed.
Signed-off-by: Shannon Nelson
If the skb has a security association referenced in the skb, then
set up the Tx descriptor with the ipsec offload bits. While we're
here, we fix an oddly named field in the context descriptor struct.
v3: added ifdef CONFIG_XFRM_OFFLOAD check around call to ixgbe_ipsec_tx()
v2: use ihl
so.dev;
+ struct ixgbe_adapter *adapter = netdev_priv(dev);
+ struct ixgbe_ipsec *ipsec = adapter->ipsec;
+ struct ixgbe_hw *hw = &adapter->hw;
+ int checked, match, first;
+ u16 sa_idx;
+ int ret;
+ int i;
+
+ if (xs->id.proto != IPPROTO_ES
:
https://github.com/0day-ci/linux/commits/Shannon-Nelson/ixgbe-Add-ipsec-offload/20171216-024335
config: i386-randconfig-b0-12160414 (attached as .config)
compiler: gcc-4.9 (Debian 4.9.4-2) 4.9.4
reproduce:
# save the attached .config to linux build tree
make ARCH=i386
All errors
On 12/15/2017 12:10 PM, kbuild test robot wrote:
[...]
drivers/net/ethernet/intel/ixgbe/ixgbe_main.c: In function
'ixgbe_xmit_frame_ring':
drivers/net/ethernet/intel/ixgbe/ixgbe_main.c:8563:11: error: 'struct sk_buff'
has no member named 'sp'; did you mean 'sk'?
if (skb->sp && !ixg
:
https://github.com/0day-ci/linux/commits/Shannon-Nelson/ixgbe-Add-ipsec-offload/20171216-024335
config: i386-randconfig-x013-201750 (attached as .config)
compiler: gcc-7 (Debian 7.2.0-12) 7.2.1 20171025
reproduce:
# save the attached .config to linux build tree
make ARCH=i386
aven't looked into why yet.
L4T_TCP, AFAIK is a control of whether or not the L4 checksum generated
by the offload hardware uses the "never equal 0" logic required by TCP
checksums, but not required by UDP checksums. Not sure if that helps,
or even really applies to the c
On 12/12/2017 5:59 PM, Alexander Duyck wrote:
On Tue, Dec 12, 2017 at 3:37 PM, Shannon Nelson
wrote:
If the skb has a security association referenced in the skb, then
set up the Tx descriptor with the ipsec offload bits. While we're
here, we fix an oddly named field in the context descr
On Tue, Dec 12, 2017 at 3:37 PM, Shannon Nelson
wrote:
> If the skb has a security association referenced in the skb, then
> set up the Tx descriptor with the ipsec offload bits. While we're
> here, we fix an oddly named field in the context descriptor struct.
>
> Signed-of
struct ixgbe_adapter *adapter = netdev_priv(dev);
+ struct ixgbe_ipsec *ipsec = adapter->ipsec;
+ struct ixgbe_hw *hw = &adapter->hw;
+ int checked, match, first;
+ u16 sa_idx;
+ int ret;
+ int i;
+
+ if (xs->id.proto != IPPROTO_ES
If the skb has a security association referenced in the skb, then
set up the Tx descriptor with the ipsec offload bits. While we're
here, we fix an oddly named field in the context descriptor struct.
Signed-off-by: Shannon Nelson
---
v2: use ihl != 5
move the ixgbe_ipsec_tx() call to
Add a simple statistic to count the ipsec offloads.
Signed-off-by: Shannon Nelson
---
v2: change per ring counter to adapter rx and tx counters
move tx_ipsec count to the tx clean code
drivers/net/ethernet/intel/ixgbe/ixgbe.h | 2 ++
drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c
With all the support code in place we can now link in the ipsec
offload operations and set the ESP feature flag for the XFRM
subsystem to see.
Signed-off-by: Shannon Nelson
---
v2: added the xdo_dev_state_free callback to make XFRM happy
changed use of NETIF_F_HW_CSUM_BIT to NETIF_F_HW_CSUM
If the chip sees and decrypts an ipsec offload, set up the skb
sp pointer with the ralated SA info. Since the chip is rude
enough to keep to itself the table index it used for the
decryption, we have to do our own table lookup, using the
hash for speed.
Signed-off-by: Shannon Nelson
---
v2: no
This is an implementation of the ipsec hardware offload feature for
the ixgbe driver and Intel's 10Gbe series NICs: x540, x550, 82599.
These patches apply to net-next v4.14 as well as Jeff Kirsher's next-queue
v4.15-rc1-206-ge47375b.
The ixgbe NICs support ipsec offload for 1024 Rx a
n Mon, Dec 4, 2017 at 9:35 PM, Shannon Nelson
wrote:
If the skb has a security association referenced in the skb, then
set up the Tx descriptor with the ipsec offload bits. While we're
here, we fix an oddly named field in the context descriptor struct.
Signed-off-by: Shannon Nelson
---
d
On Wed, Dec 6, 2017 at 9:43 PM, Shannon Nelson
wrote:
> On 12/5/2017 10:13 AM, Alexander Duyck wrote:
>>
>> On Mon, Dec 4, 2017 at 9:35 PM, Shannon Nelson
>> wrote:
>>>
>>> If the skb has a security association referenced in the skb, then
>>> set
On Wed, Dec 6, 2017 at 9:43 PM, Shannon Nelson
wrote:
> On 12/5/2017 9:40 AM, Alexander Duyck wrote:
>>
>> On Mon, Dec 4, 2017 at 9:35 PM, Shannon Nelson
>> wrote:
>>>
>>> If the chip sees and decrypts an ipsec offload, set up the skb
>>> sp poin
On 12/5/2017 12:11 PM, Alexander Duyck wrote:
On Mon, Dec 4, 2017 at 9:35 PM, Shannon Nelson
wrote:
With all the support code in place we can now link in the ipsec
offload operations and set the ESP feature flag for the XFRM
subsystem to see.
Signed-off-by: Shannon Nelson
---
drivers/net
On 12/5/2017 11:53 AM, Alexander Duyck wrote:
On Mon, Dec 4, 2017 at 9:35 PM, Shannon Nelson
wrote:
Add a simple statistic to count the ipsec offloads.
Signed-off-by: Shannon Nelson
---
drivers/net/ethernet/intel/ixgbe/ixgbe.h | 1 +
drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.
On 12/5/2017 10:13 AM, Alexander Duyck wrote:
On Mon, Dec 4, 2017 at 9:35 PM, Shannon Nelson
wrote:
If the skb has a security association referenced in the skb, then
set up the Tx descriptor with the ipsec offload bits. While we're
here, we fix an oddly named field in the context descr
On 12/5/2017 9:40 AM, Alexander Duyck wrote:
On Mon, Dec 4, 2017 at 9:35 PM, Shannon Nelson
wrote:
If the chip sees and decrypts an ipsec offload, set up the skb
sp pointer with the ralated SA info. Since the chip is rude
enough to keep to itself the table index it used for the
decryption, we
On Mon, Dec 4, 2017 at 9:35 PM, Shannon Nelson
wrote:
> With all the support code in place we can now link in the ipsec
> offload operations and set the ESP feature flag for the XFRM
> subsystem to see.
>
> Signed-off-by: Shannon Nelson
> ---
> drivers/net/ethernet/intel/ix
On Mon, Dec 4, 2017 at 9:35 PM, Shannon Nelson
wrote:
> Add a simple statistic to count the ipsec offloads.
>
> Signed-off-by: Shannon Nelson
> ---
> drivers/net/ethernet/intel/ixgbe/ixgbe.h | 1 +
> drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c | 28
> ++--
> dr
On Mon, Dec 4, 2017 at 9:35 PM, Shannon Nelson
wrote:
> If the skb has a security association referenced in the skb, then
> set up the Tx descriptor with the ipsec offload bits. While we're
> here, we fix an oddly named field in the context descriptor struct.
>
> Signed-of
On Mon, Dec 4, 2017 at 9:35 PM, Shannon Nelson
wrote:
> If the chip sees and decrypts an ipsec offload, set up the skb
> sp pointer with the ralated SA info. Since the chip is rude
> enough to keep to itself the table index it used for the
> decryption, we have to do our own table l
With all the support code in place we can now link in the ipsec
offload operations and set the ESP feature flag for the XFRM
subsystem to see.
Signed-off-by: Shannon Nelson
---
drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c | 4
drivers/net/ethernet/intel/ixgbe/ixgbe_main.c | 4
2
If the skb has a security association referenced in the skb, then
set up the Tx descriptor with the ipsec offload bits. While we're
here, we fix an oddly named field in the context descriptor struct.
Signed-off-by: Shannon Nelson
---
drivers/net/ethernet/intel/ixgbe/ixgbe.h
This is an implementation of the ipsec hardware offload feature for
the ixgbe driver and Intel's 10Gbe series NICs: x540, x550, 82599.
These patches apply to net-next v4.14 as well as Jeff Kirsher's next-queue
v4.15-rc1-206-ge47375b.
The ixgbe NICs support ipsec offload for 1024 Rx a
Add a simple statistic to count the ipsec offloads.
Signed-off-by: Shannon Nelson
---
drivers/net/ethernet/intel/ixgbe/ixgbe.h | 1 +
drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c | 28 ++--
drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c | 3 +++
3 files change
If the chip sees and decrypts an ipsec offload, set up the skb
sp pointer with the ralated SA info. Since the chip is rude
enough to keep to itself the table index it used for the
decryption, we have to do our own table lookup, using the
hash for speed.
Signed-off-by: Shannon Nelson
On Tue, Aug 01, 2017 at 12:49:03PM +0300, il...@mellanox.com wrote:
> From: Ilan Tayari
>
> Hi Steffen,
>
> This patchset introduces several improvements to IPSec offload.
> We would like to see these merged in 4.14.
>
> Patches 1-4 add RX checksum offload sup
From: Ilan Tayari
Hi Steffen,
This patchset introduces several improvements to IPSec offload.
We would like to see these merged in 4.14.
Patches 1-4 add RX checksum offload support.
This gives a big performance boost.
These patches have been submitted before but were not merged.
Note that
From: Saeed Mahameed
Date: Tue, 27 Jun 2017 17:28:40 +0300
> This series from Ilan provides the support for IPsec XFRM offload
> in mlx5 drivers for Innova devices.
>
> For more detalis please see tag log from Ilan below.
>
> Please pull and let me know if there's any problem.
Pulled, thanks.
psec->en_priv->mdev,
&hw_sa);
+ if (IS_ERR(context))
+ return;
+
+ sa_entry->context = context;
+}
+
+static void mlx5e_xfrm_free_state(struct xfrm_state *x)
+{
+ struct mlx5e_ipsec_sa_entry *sa_entry;
+ int res;
+
+ if (!x->xso.offl
ata.
Support only Linked-list RQ type.
IPSec offload RX packets may have useful CHECKSUM_COMPLETE information,
which the stack may not be able to use yet.
Signed-off-by: Ilan Tayari
Signed-off-by: Yossi Kuperman
Signed-off-by: Yevgeny Kliteynik
Signed-off-by: Boris Pismenny
Signed-off-by: Sa
r you to fetch changes up to 164f16f7021406795729916e100c7edd53ae954f:
net/mlx5e: IPSec, Add IPSec ethtool stats (2017-06-27 16:36:48 +0300)
mlx5-updates-2017-06-27 (Innova IPsec offload support)
This patchset adds support for Innova IPSec network i
From: Ilan Tayari
In the TX data path, prepend a special metadata ethertype which
instructs the hardware to perform cryptography.
In addition, fill Software-Parser segment in TX descriptor so
that the hardware may parse the ESP protocol, and perform TX
checksum offload on the inner payload.
Sup
From: Ilan Tayari
Upon NETDEV_DOWN event, all xfrm_state objects which are bound to
the device are flushed.
The condition for this is wrong, though, testing dev->hw_features
instead of dev->features. If a device has non-user-modifiable
NETIF_F_HW_ESP, then its xfrm_state objects are not flushed,
On Mon, May 08, 2017 at 10:39:34AM +0300, il...@mellanox.com wrote:
> From: Ilan Tayari
>
> Upon NETDEV_DOWN event, all xfrm_state objects which are bound to
> the device are flushed.
>
> The condition for this is wrong, though, testing dev->hw_features
> instead of dev->features. If a device ha
From: Ilan Tayari
Upon NETDEV_DOWN event, all xfrm_state objects which are bound to
the device are flushed.
The condition for this is wrong, though, testing dev->hw_features
instead of dev->features. If a device has non-user-modifiable
NETIF_F_HW_ESP, then its xfrm_state objects are not flushed,
1 - 100 of 109 matches
Mail list logo
