diff options
author | Huy Nguyen <huyn@mellanox.com> | 2020-06-05 16:36:35 -0500 |
---|---|---|
committer | Saeed Mahameed <saeedm@mellanox.com> | 2020-07-16 16:36:48 -0700 |
commit | 5e466345291a91d1722e7198497198becda29e22 (patch) | |
tree | e3c4491d73178d2b80885a47250e6cf941a11eed /drivers/net/ethernet/mellanox/mlx5/core/accel | |
parent | 78fb6122fa2b6b55fafee1b32cd94913ad72f8a4 (diff) | |
download | linux-5e466345291a91d1722e7198497198becda29e22.tar.gz linux-5e466345291a91d1722e7198497198becda29e22.tar.bz2 linux-5e466345291a91d1722e7198497198becda29e22.zip |
net/mlx5e: IPsec: Add IPsec steering in local NIC RX
Introduce decrypt FT, the RX error FT and the default rules.
The IPsec RX decrypt flow table is pointed by the TTC
(Traffic Type Classifier) ESP steering rules.
The decrypt flow table has two flow groups. The first flow group
keeps the decrypt steering rule programmed via the "ip xfrm s" interface.
The second flow group has a default rule to forward all non-offloaded
ESP packet to the TTC ESP default RSS TIR.
The RX error flow table is the destination of the decrypt steering rules
in the IPsec RX decrypt flow table. It has a fixed rule with single
copy action that copies ipsec_syndrome to metadata_regB[0:6]. The IPsec
syndrome is used to filter out non-ipsec packet and to return the IPsec
crypto offload status in Rx flow. The destination of RX error flow table
is the TTC ESP default RSS TIR.
All the FTs (decrypt FT and error FT) are created only when IPsec SAs
are added. If there is no IPsec SAs, the FTs are removed.
Signed-off-by: Huy Nguyen <huyn@mellanox.com>
Reviewed-by: Boris Pismenny <borisp@mellanox.com>
Reviewed-by: Tariq Toukan <tariqt@mellanox.com>
Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
Diffstat (limited to 'drivers/net/ethernet/mellanox/mlx5/core/accel')
-rw-r--r-- | drivers/net/ethernet/mellanox/mlx5/core/accel/ipsec_offload.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/accel/ipsec_offload.c b/drivers/net/ethernet/mellanox/mlx5/core/accel/ipsec_offload.c index 1c8923f42b09..c49699d580ff 100644 --- a/drivers/net/ethernet/mellanox/mlx5/core/accel/ipsec_offload.c +++ b/drivers/net/ethernet/mellanox/mlx5/core/accel/ipsec_offload.c @@ -4,9 +4,11 @@ #include "mlx5_core.h" #include "ipsec_offload.h" #include "lib/mlx5.h" +#include "en_accel/ipsec_fs.h" #define MLX5_IPSEC_DEV_BASIC_CAPS (MLX5_ACCEL_IPSEC_CAP_DEVICE | MLX5_ACCEL_IPSEC_CAP_IPV6 | \ MLX5_ACCEL_IPSEC_CAP_LSO) + struct mlx5_ipsec_sa_ctx { struct rhash_head hash; u32 enc_key_id; @@ -30,6 +32,10 @@ static u32 mlx5_ipsec_offload_device_caps(struct mlx5_core_dev *mdev) if (!mlx5_is_ipsec_device(mdev)) return 0; + if (!MLX5_CAP_FLOWTABLE_NIC_TX(mdev, ipsec_encrypt) || + !MLX5_CAP_FLOWTABLE_NIC_RX(mdev, ipsec_decrypt)) + return 0; + if (MLX5_CAP_IPSEC(mdev, ipsec_crypto_esp_aes_gcm_128_encrypt) && MLX5_CAP_IPSEC(mdev, ipsec_crypto_esp_aes_gcm_128_decrypt)) caps |= MLX5_ACCEL_IPSEC_CAP_ESP; |