From c0a4948e1ddab4d90b535c2c5488d85a3db76305 Mon Sep 17 00:00:00 2001 From: Jakub Kicinski Date: Mon, 10 Jun 2019 21:40:07 -0700 Subject: [PATCH] nfp: tls: enable TLS RX offload Set ethtool TLS RX feature based on NIC capabilities, and enable TLS RX when connections are added for decryption. Signed-off-by: Jakub Kicinski Reviewed-by: Dirk van der Merwe Signed-off-by: David S. Miller --- .../ethernet/netronome/nfp/crypto/crypto.h | 5 ++++ .../net/ethernet/netronome/nfp/crypto/tls.c | 25 ++++++++++++++----- drivers/net/ethernet/netronome/nfp/nfp_net.h | 2 ++ 3 files changed, 26 insertions(+), 6 deletions(-) diff --git a/drivers/net/ethernet/netronome/nfp/crypto/crypto.h b/drivers/net/ethernet/netronome/nfp/crypto/crypto.h index 1f97fb443134..591924ad920c 100644 --- a/drivers/net/ethernet/netronome/nfp/crypto/crypto.h +++ b/drivers/net/ethernet/netronome/nfp/crypto/crypto.h @@ -7,6 +7,11 @@ struct nfp_net_tls_offload_ctx { __be32 fw_handle[2]; + u8 rx_end[0]; + /* Tx only fields follow - Rx side does not have enough driver state + * to fit these + */ + u32 next_seq; bool out_of_sync; }; diff --git a/drivers/net/ethernet/netronome/nfp/crypto/tls.c b/drivers/net/ethernet/netronome/nfp/crypto/tls.c index eebaf5e1621d..4427c1d42047 100644 --- a/drivers/net/ethernet/netronome/nfp/crypto/tls.c +++ b/drivers/net/ethernet/netronome/nfp/crypto/tls.c @@ -47,10 +47,16 @@ __nfp_net_tls_conn_cnt_changed(struct nfp_net *nn, int add, u8 opcode; int cnt; - opcode = NFP_NET_CRYPTO_OP_TLS_1_2_AES_GCM_128_ENC; - nn->ktls_tx_conn_cnt += add; - cnt = nn->ktls_tx_conn_cnt; - nn->dp.ktls_tx = !!nn->ktls_tx_conn_cnt; + if (direction == TLS_OFFLOAD_CTX_DIR_TX) { + opcode = NFP_NET_CRYPTO_OP_TLS_1_2_AES_GCM_128_ENC; + nn->ktls_tx_conn_cnt += add; + cnt = nn->ktls_tx_conn_cnt; + nn->dp.ktls_tx = !!nn->ktls_tx_conn_cnt; + } else { + opcode = NFP_NET_CRYPTO_OP_TLS_1_2_AES_GCM_128_DEC; + nn->ktls_rx_conn_cnt += add; + cnt = nn->ktls_rx_conn_cnt; + } /* Care only about 0 -> 1 and 1 -> 0 transitions */ if (cnt > 1) @@ -228,7 +234,7 @@ nfp_net_cipher_supported(struct nfp_net *nn, u16 cipher_type, if (direction == TLS_OFFLOAD_CTX_DIR_TX) bit = NFP_NET_CRYPTO_OP_TLS_1_2_AES_GCM_128_ENC; else - return false; + bit = NFP_NET_CRYPTO_OP_TLS_1_2_AES_GCM_128_DEC; break; default: return false; @@ -256,6 +262,8 @@ nfp_net_tls_add(struct net_device *netdev, struct sock *sk, BUILD_BUG_ON(sizeof(struct nfp_net_tls_offload_ctx) > TLS_DRIVER_STATE_SIZE_TX); + BUILD_BUG_ON(offsetof(struct nfp_net_tls_offload_ctx, rx_end) > + TLS_DRIVER_STATE_SIZE_RX); if (!nfp_net_cipher_supported(nn, crypto_info->cipher_type, direction)) return -EOPNOTSUPP; @@ -341,7 +349,8 @@ nfp_net_tls_add(struct net_device *netdev, struct sock *sk, ntls = tls_driver_ctx(sk, direction); memcpy(ntls->fw_handle, reply->handle, sizeof(ntls->fw_handle)); - ntls->next_seq = start_offload_tcp_sn; + if (direction == TLS_OFFLOAD_CTX_DIR_TX) + ntls->next_seq = start_offload_tcp_sn; dev_consume_skb_any(skb); if (direction == TLS_OFFLOAD_CTX_DIR_TX) @@ -450,6 +459,10 @@ int nfp_net_tls_init(struct nfp_net *nn) if (err) return err; + if (nn->tlv_caps.crypto_ops & NFP_NET_TLS_OPCODE_MASK_RX) { + netdev->hw_features |= NETIF_F_HW_TLS_RX; + netdev->features |= NETIF_F_HW_TLS_RX; + } if (nn->tlv_caps.crypto_ops & NFP_NET_TLS_OPCODE_MASK_TX) { netdev->hw_features |= NETIF_F_HW_TLS_TX; netdev->features |= NETIF_F_HW_TLS_TX; diff --git a/drivers/net/ethernet/netronome/nfp/nfp_net.h b/drivers/net/ethernet/netronome/nfp/nfp_net.h index 46305f181764..6bbd77ba56f2 100644 --- a/drivers/net/ethernet/netronome/nfp/nfp_net.h +++ b/drivers/net/ethernet/netronome/nfp/nfp_net.h @@ -582,6 +582,7 @@ struct nfp_net_dp { * @rx_bar: Pointer to mapped FL/RX queues * @tlv_caps: Parsed TLV capabilities * @ktls_tx_conn_cnt: Number of offloaded kTLS TX connections + * @ktls_rx_conn_cnt: Number of offloaded kTLS RX connections * @ktls_no_space: Counter of firmware rejecting kTLS connection due to * lack of space * @mbox_cmsg: Common Control Message via vNIC mailbox state @@ -667,6 +668,7 @@ struct nfp_net { struct nfp_net_tlv_caps tlv_caps; unsigned int ktls_tx_conn_cnt; + unsigned int ktls_rx_conn_cnt; atomic_t ktls_no_space; -- GitLab