nfp: tls: enable TLS RX offload
authorJakub Kicinski <jakub.kicinski@netronome.com>
Tue, 11 Jun 2019 04:40:07 +0000 (21:40 -0700)
committerDavid S. Miller <davem@davemloft.net>
Tue, 11 Jun 2019 19:22:27 +0000 (12:22 -0700)
Set ethtool TLS RX feature based on NIC capabilities, and enable
TLS RX when connections are added for decryption.

Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
Reviewed-by: Dirk van der Merwe <dirk.vandermerwe@netronome.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
drivers/net/ethernet/netronome/nfp/crypto/crypto.h
drivers/net/ethernet/netronome/nfp/crypto/tls.c
drivers/net/ethernet/netronome/nfp/nfp_net.h

index 1f97fb44313495ed6b6cedf25864bd4c9e795ddf..591924ad920c143bb681c99603b883a1f9f45718 100644 (file)
@@ -7,6 +7,11 @@
 struct nfp_net_tls_offload_ctx {
        __be32 fw_handle[2];
 
+       u8 rx_end[0];
+       /* Tx only fields follow - Rx side does not have enough driver state
+        * to fit these
+        */
+
        u32 next_seq;
        bool out_of_sync;
 };
index eebaf5e1621d955dbba3e832c4ef6ab1502b0051..4427c1d42047f604731dd147b5af6a747e8c610f 100644 (file)
@@ -47,10 +47,16 @@ __nfp_net_tls_conn_cnt_changed(struct nfp_net *nn, int add,
        u8 opcode;
        int cnt;
 
-       opcode = NFP_NET_CRYPTO_OP_TLS_1_2_AES_GCM_128_ENC;
-       nn->ktls_tx_conn_cnt += add;
-       cnt = nn->ktls_tx_conn_cnt;
-       nn->dp.ktls_tx = !!nn->ktls_tx_conn_cnt;
+       if (direction == TLS_OFFLOAD_CTX_DIR_TX) {
+               opcode = NFP_NET_CRYPTO_OP_TLS_1_2_AES_GCM_128_ENC;
+               nn->ktls_tx_conn_cnt += add;
+               cnt = nn->ktls_tx_conn_cnt;
+               nn->dp.ktls_tx = !!nn->ktls_tx_conn_cnt;
+       } else {
+               opcode = NFP_NET_CRYPTO_OP_TLS_1_2_AES_GCM_128_DEC;
+               nn->ktls_rx_conn_cnt += add;
+               cnt = nn->ktls_rx_conn_cnt;
+       }
 
        /* Care only about 0 -> 1 and 1 -> 0 transitions */
        if (cnt > 1)
@@ -228,7 +234,7 @@ nfp_net_cipher_supported(struct nfp_net *nn, u16 cipher_type,
                if (direction == TLS_OFFLOAD_CTX_DIR_TX)
                        bit = NFP_NET_CRYPTO_OP_TLS_1_2_AES_GCM_128_ENC;
                else
-                       return false;
+                       bit = NFP_NET_CRYPTO_OP_TLS_1_2_AES_GCM_128_DEC;
                break;
        default:
                return false;
@@ -256,6 +262,8 @@ nfp_net_tls_add(struct net_device *netdev, struct sock *sk,
 
        BUILD_BUG_ON(sizeof(struct nfp_net_tls_offload_ctx) >
                     TLS_DRIVER_STATE_SIZE_TX);
+       BUILD_BUG_ON(offsetof(struct nfp_net_tls_offload_ctx, rx_end) >
+                    TLS_DRIVER_STATE_SIZE_RX);
 
        if (!nfp_net_cipher_supported(nn, crypto_info->cipher_type, direction))
                return -EOPNOTSUPP;
@@ -341,7 +349,8 @@ nfp_net_tls_add(struct net_device *netdev, struct sock *sk,
 
        ntls = tls_driver_ctx(sk, direction);
        memcpy(ntls->fw_handle, reply->handle, sizeof(ntls->fw_handle));
-       ntls->next_seq = start_offload_tcp_sn;
+       if (direction == TLS_OFFLOAD_CTX_DIR_TX)
+               ntls->next_seq = start_offload_tcp_sn;
        dev_consume_skb_any(skb);
 
        if (direction == TLS_OFFLOAD_CTX_DIR_TX)
@@ -450,6 +459,10 @@ int nfp_net_tls_init(struct nfp_net *nn)
        if (err)
                return err;
 
+       if (nn->tlv_caps.crypto_ops & NFP_NET_TLS_OPCODE_MASK_RX) {
+               netdev->hw_features |= NETIF_F_HW_TLS_RX;
+               netdev->features |= NETIF_F_HW_TLS_RX;
+       }
        if (nn->tlv_caps.crypto_ops & NFP_NET_TLS_OPCODE_MASK_TX) {
                netdev->hw_features |= NETIF_F_HW_TLS_TX;
                netdev->features |= NETIF_F_HW_TLS_TX;
index 46305f181764084d9a9869016afd3af69cd37d36..6bbd77ba56f2697c88d72c0ca62442f2d87e9e0a 100644 (file)
@@ -582,6 +582,7 @@ struct nfp_net_dp {
  * @rx_bar:             Pointer to mapped FL/RX queues
  * @tlv_caps:          Parsed TLV capabilities
  * @ktls_tx_conn_cnt:  Number of offloaded kTLS TX connections
+ * @ktls_rx_conn_cnt:  Number of offloaded kTLS RX connections
  * @ktls_no_space:     Counter of firmware rejecting kTLS connection due to
  *                     lack of space
  * @mbox_cmsg:         Common Control Message via vNIC mailbox state
@@ -667,6 +668,7 @@ struct nfp_net {
        struct nfp_net_tlv_caps tlv_caps;
 
        unsigned int ktls_tx_conn_cnt;
+       unsigned int ktls_rx_conn_cnt;
 
        atomic_t ktls_no_space;