nfp: tls: enable TLS RX offload [Linux 5.3]

This Linux kernel change "nfp: tls: enable TLS RX offload" is included in the Linux 5.3 release. This change is authored by Jakub Kicinski <jakub.kicinski [at] netronome.com> on Mon Jun 10 21:40:07 2019 -0700. The commit for this change in Linux stable tree is c0a4948 (patch).

nfp: tls: enable TLS RX offload

Set ethtool TLS RX feature based on NIC capabilities, and enable
TLS RX when connections are added for decryption.

Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
Reviewed-by: Dirk van der Merwe <dirk.vandermerwe@netronome.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

There are 32 lines of Linux source code added/deleted in this change. Code changes to Linux kernel are as follows.

 drivers/net/ethernet/netronome/nfp/crypto/crypto.h |  5 +++++
 drivers/net/ethernet/netronome/nfp/crypto/tls.c    | 25 ++++++++++++++++------
 drivers/net/ethernet/netronome/nfp/nfp_net.h       |  2 ++
 3 files changed, 26 insertions(+), 6 deletions(-)

diff --git a/drivers/net/ethernet/netronome/nfp/crypto/crypto.h b/drivers/net/ethernet/netronome/nfp/crypto/crypto.h
index 1f97fb4..591924a 100644
--- a/drivers/net/ethernet/netronome/nfp/crypto/crypto.h
+++ b/drivers/net/ethernet/netronome/nfp/crypto/crypto.h
@@ -7,6 +7,11 @@
 struct nfp_net_tls_offload_ctx {
    __be32 fw_handle[2];

+   u8 rx_end[0];
+   /* Tx only fields follow - Rx side does not have enough driver state
+    * to fit these
+    */
+
    u32 next_seq;
    bool out_of_sync;
 };
diff --git a/drivers/net/ethernet/netronome/nfp/crypto/tls.c b/drivers/net/ethernet/netronome/nfp/crypto/tls.c
index eebaf5e..4427c1d 100644
--- a/drivers/net/ethernet/netronome/nfp/crypto/tls.c
+++ b/drivers/net/ethernet/netronome/nfp/crypto/tls.c
@@ -47,10 +47,16 @@ static void nfp_net_crypto_set_op(struct nfp_net *nn, u8 opcode, bool on)
    u8 opcode;
    int cnt;

-   opcode = NFP_NET_CRYPTO_OP_TLS_1_2_AES_GCM_128_ENC;
-   nn->ktls_tx_conn_cnt += add;
-   cnt = nn->ktls_tx_conn_cnt;
-   nn->dp.ktls_tx = !!nn->ktls_tx_conn_cnt;
+   if (direction == TLS_OFFLOAD_CTX_DIR_TX) {
+       opcode = NFP_NET_CRYPTO_OP_TLS_1_2_AES_GCM_128_ENC;
+       nn->ktls_tx_conn_cnt += add;
+       cnt = nn->ktls_tx_conn_cnt;
+       nn->dp.ktls_tx = !!nn->ktls_tx_conn_cnt;
+   } else {
+       opcode = NFP_NET_CRYPTO_OP_TLS_1_2_AES_GCM_128_DEC;
+       nn->ktls_rx_conn_cnt += add;
+       cnt = nn->ktls_rx_conn_cnt;
+   }

    /* Care only about 0 -> 1 and 1 -> 0 transitions */
    if (cnt > 1)
@@ -228,7 +234,7 @@ static u8 nfp_tls_1_2_dir_to_opcode(enum tls_offload_ctx_dir direction)
        if (direction == TLS_OFFLOAD_CTX_DIR_TX)
            bit = NFP_NET_CRYPTO_OP_TLS_1_2_AES_GCM_128_ENC;
        else
-           return false;
+           bit = NFP_NET_CRYPTO_OP_TLS_1_2_AES_GCM_128_DEC;
        break;
    default:
        return false;
@@ -256,6 +262,8 @@ static u8 nfp_tls_1_2_dir_to_opcode(enum tls_offload_ctx_dir direction)

    BUILD_BUG_ON(sizeof(struct nfp_net_tls_offload_ctx) >
             TLS_DRIVER_STATE_SIZE_TX);
+   BUILD_BUG_ON(offsetof(struct nfp_net_tls_offload_ctx, rx_end) >
+            TLS_DRIVER_STATE_SIZE_RX);

    if (!nfp_net_cipher_supported(nn, crypto_info->cipher_type, direction))
        return -EOPNOTSUPP;
@@ -341,7 +349,8 @@ static u8 nfp_tls_1_2_dir_to_opcode(enum tls_offload_ctx_dir direction)

    ntls = tls_driver_ctx(sk, direction);
    memcpy(ntls->fw_handle, reply->handle, sizeof(ntls->fw_handle));
-   ntls->next_seq = start_offload_tcp_sn;
+   if (direction == TLS_OFFLOAD_CTX_DIR_TX)
+       ntls->next_seq = start_offload_tcp_sn;
    dev_consume_skb_any(skb);

    if (direction == TLS_OFFLOAD_CTX_DIR_TX)
@@ -450,6 +459,10 @@ int nfp_net_tls_init(struct nfp_net *nn)
    if (err)
        return err;

+   if (nn->tlv_caps.crypto_ops & NFP_NET_TLS_OPCODE_MASK_RX) {
+       netdev->hw_features |= NETIF_F_HW_TLS_RX;
+       netdev->features |= NETIF_F_HW_TLS_RX;
+   }
    if (nn->tlv_caps.crypto_ops & NFP_NET_TLS_OPCODE_MASK_TX) {
        netdev->hw_features |= NETIF_F_HW_TLS_TX;
        netdev->features |= NETIF_F_HW_TLS_TX;
diff --git a/drivers/net/ethernet/netronome/nfp/nfp_net.h b/drivers/net/ethernet/netronome/nfp/nfp_net.h
index 46305f1..6bbd77b 100644
--- a/drivers/net/ethernet/netronome/nfp/nfp_net.h
+++ b/drivers/net/ethernet/netronome/nfp/nfp_net.h
@@ -582,6 +582,7 @@ struct nfp_net_dp {
  * @rx_bar:             Pointer to mapped FL/RX queues
  * @tlv_caps:      Parsed TLV capabilities
  * @ktls_tx_conn_cnt:  Number of offloaded kTLS TX connections
+ * @ktls_rx_conn_cnt:  Number of offloaded kTLS RX connections
  * @ktls_no_space: Counter of firmware rejecting kTLS connection due to
  *         lack of space
  * @mbox_cmsg:     Common Control Message via vNIC mailbox state
@@ -667,6 +668,7 @@ struct nfp_net {
    struct nfp_net_tlv_caps tlv_caps;

    unsigned int ktls_tx_conn_cnt;
+   unsigned int ktls_rx_conn_cnt;

    atomic_t ktls_no_space;

Leave a Reply

Your email address will not be published. Required fields are marked *