From patchwork Sun Oct 29 16:31:48 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gregory Etelson X-Patchwork-Id: 133589 X-Patchwork-Delegate: rasland@nvidia.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id EF9C043238; Sun, 29 Oct 2023 17:34:46 +0100 (CET) Received: from mails.dpdk.org (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 484BC40E54; Sun, 29 Oct 2023 17:33:27 +0100 (CET) Received: from NAM10-DM6-obe.outbound.protection.outlook.com (mail-dm6nam10on2077.outbound.protection.outlook.com [40.107.93.77]) by mails.dpdk.org (Postfix) with ESMTP id D45C940E54 for ; Sun, 29 Oct 2023 17:33:25 +0100 (CET) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=JIKbaodj6+joydXSEXusoOuDdmofXC2FxzEucwU0yfe4l91iQTyVQFWVOUiKq/PCq+fmPFxO0661ZzBkIbT8nsl+AVVVlPGuTW/2oV5b2H1mUw3z3zW3fHHRAsaIj4ME9zGWlDTdfbAKCqpkZ9A9yQ3uIwl7oxZQ1Yp54zjFR8sNbDID+U5IGh30yihImqdMTY1W0ufW747REboZnoiUxrBSd5L1z/2zD6zmGmMbVcmuENEuKpPQRSsPOerzaHVqTjXy3XtysKNlBcQ8BjAIz71M2wRR6XptCUAEFZY9Vj+zaBpuEP/ZwqxoOfC5W2LVYPEOWHQB3bqpkaDssjqMVg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=RSMsZKVOechGsS8FtSMKl8yi/hBvCQGjscgJOwZwqVM=; b=PdhmDawZCYT95XxOR7GieqCSwXHyg4TZGuXN/Bf8m8ZwTI+wj/yRqeP8j3TPTlonJFxzdKvqL804tCQNZm4a6cJ62oF2XcOD4CCRtXfLbYCKUJ0jNWMqlAWYqcKU3qqlrqzfG47Pbd7SEL5OvcUJxVifJfdZV4ZHySgPciQDQCWIsC04MwpxcYlwMKrOBju7vdnTkAxO3DvIng6L/j2ZT1SHBEoIv3ltgQ4Vjv0Tb4ECZYCBy0MxlSqXwnuCq1Rsq+LKn1Gk3rB8E7YqewPgzwzC5Ld/mcoxXVMRNPa2HrPzh95OEX5flCuqQQVeJ5xssBS9q/1y/KAt25B7u8fLlQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 216.228.117.161) smtp.rcpttodomain=dpdk.org smtp.mailfrom=nvidia.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nvidia.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=RSMsZKVOechGsS8FtSMKl8yi/hBvCQGjscgJOwZwqVM=; b=r8cR64yDZHSQq1XPyacX9Tn2pDx6pucmw79w6upI2xIDeGipZTbHarDZLRClFga39ELdly9K68P2hMf7UN2clZsXhJ8xqUy7llzrqv9ht3NBRlmYo88kdwUTndOZXOnVDxv5Rgl+P00g6cV5ZAOhb3/Clo1sBTwzPrwIcZFJvQDmgYYl1EIPUyCtzyxefRxP3LEFoW8BC/6B36lMZSCNjvSpvhVvbIdasIHfJ8LYb7GYOmlxIRfkQLDuuEId4m6/kKjxk+92MbNSxEzDRyajJZoNLLn6ByWsMv+yfDTcv0QDxRijRbuCCgqHk7lBcGvTceWOJJzYFcKZsQPJjQH3Mg== Received: from MN2PR16CA0035.namprd16.prod.outlook.com (2603:10b6:208:134::48) by MN2PR12MB4254.namprd12.prod.outlook.com (2603:10b6:208:1d0::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6933.26; Sun, 29 Oct 2023 16:33:23 +0000 Received: from BL02EPF0001A0FC.namprd03.prod.outlook.com (2603:10b6:208:134:cafe::53) by MN2PR16CA0035.outlook.office365.com (2603:10b6:208:134::48) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6863.36 via Frontend Transport; Sun, 29 Oct 2023 16:33:23 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 216.228.117.161) smtp.mailfrom=nvidia.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=nvidia.com; Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates 216.228.117.161 as permitted sender) receiver=protection.outlook.com; client-ip=216.228.117.161; helo=mail.nvidia.com; pr=C Received: from mail.nvidia.com (216.228.117.161) by BL02EPF0001A0FC.mail.protection.outlook.com (10.167.242.103) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6933.15 via Frontend Transport; Sun, 29 Oct 2023 16:33:23 +0000 Received: from rnnvmail201.nvidia.com (10.129.68.8) by mail.nvidia.com (10.129.200.67) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.41; Sun, 29 Oct 2023 09:33:07 -0700 Received: from nvidia.com (10.126.231.35) by rnnvmail201.nvidia.com (10.129.68.8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.41; Sun, 29 Oct 2023 09:33:04 -0700 From: Gregory Etelson To: CC: , , , "Hamdan Igbaria" , Alex Vesker , Matan Azrad , Viacheslav Ovsiienko , Ori Kam , Suanming Mou Subject: [PATCH 16/30] net/mlx5/hws: support IPsec encryption/decryption action Date: Sun, 29 Oct 2023 18:31:48 +0200 Message-ID: <20231029163202.216450-16-getelson@nvidia.com> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20231029163202.216450-1-getelson@nvidia.com> References: <20231029163202.216450-1-getelson@nvidia.com> MIME-Version: 1.0 X-Originating-IP: [10.126.231.35] X-ClientProxiedBy: rnnvmail203.nvidia.com (10.129.68.9) To rnnvmail201.nvidia.com (10.129.68.8) X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: BL02EPF0001A0FC:EE_|MN2PR12MB4254:EE_ X-MS-Office365-Filtering-Correlation-Id: ca743612-e3a7-4624-dd3a-08dbd89cc4e2 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: NGchDy+knkF0GiS7AqvPlZ9T+JIcjDfsD0ArvX1TvvFJUFX9ZOMSWUkXPGKhXOYe3u0UgCA/c0TQ/ihnm1P5dNGcA07OPW38Gf7hLfOc20U0YvCSN/VfcKesC4iK+fj+TeRxFgrmnWVAOEWHbnFqkxLp1qHFzc8V6xmar74o4DkwwfIfjizY+IKSbulHT8RyccQx883+AUJ7BFX95/z3wXfB/FYLbJ4vh5OUsuxyFOEeckdZxiht0HtFjszP3oxipgUnLdvxKxrJ4RFDUCvSvVvimPKep2tqiSgZyfRywZjLhRzEZrYQH8hKSwIgghApQN6YTJ/w01eGfyQPMcBwTvQwl4e5jb9O2Pp27G42/Sg3sL+Vafq3h9Y4muGA/9u+T5s0gBbeoYvy2b75MKfdA50sBJ43bXoeQKITsj4ilQDkc3U84pZNcAvndPJG3z67sq+/vBvyuv2VJMSAl4cadDVV0qA+VIxFr2/3coKHR5Zk9uBsbIOiKpICrNyJVIE9wLDbpOrtj8lEY+Uzvkra+i8qEJ30OWpnBP1NaV+adYuXXsepXHzyWeuVFlm4q7r7B8tjdjg48YOye83ctdMOblNg3PC/YyKt8xahjz2PcuWATNDcyyx8vLJceBRK3j+ZprB+WYsBjerUcMu0zf64gXjSk4XGsSzntA7oSicTWgr/0kRMbJh2SoFTAAWsUMbENUgwHSjsD08RBYqzOdbmSe0+ZeKGq2r6ln1vS397SyQmpfg51PS+c1AKMRy0217J X-Forefront-Antispam-Report: CIP:216.228.117.161; CTRY:US; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:mail.nvidia.com; PTR:dc6edge2.nvidia.com; CAT:NONE; SFS:(13230031)(4636009)(396003)(39860400002)(136003)(346002)(376002)(230922051799003)(186009)(451199024)(1800799009)(82310400011)(64100799003)(46966006)(40470700004)(36840700001)(40480700001)(40460700003)(55016003)(47076005)(83380400001)(26005)(16526019)(6286002)(107886003)(1076003)(336012)(426003)(356005)(82740400003)(36860700001)(7636003)(70206006)(70586007)(2616005)(316002)(6916009)(5660300002)(54906003)(4326008)(8676002)(8936002)(41300700001)(6666004)(7696005)(2906002)(30864003)(478600001)(36756003)(86362001); DIR:OUT; SFP:1101; X-OriginatorOrg: Nvidia.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 29 Oct 2023 16:33:23.0881 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: ca743612-e3a7-4624-dd3a-08dbd89cc4e2 X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a; Ip=[216.228.117.161]; Helo=[mail.nvidia.com] X-MS-Exchange-CrossTenant-AuthSource: BL02EPF0001A0FC.namprd03.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR12MB4254 X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org From: Hamdan Igbaria Support crypto action creation, this action allows encryption/decryption of the packet according a specific security crypto protocol. For now we support encryption/decryption according ipsec protocol. ipsec encryption handles the encoding of the data. ipsec decryption handles the decoding of the data and a decryption result status will be placed in the ipsec_syndrome field. Both operations should be used only for packets that have esp header and ipsec trailer. Signed-off-by: Hamdan Igbaria Reviewed-by: Alex Vesker Acked-by: Matan Azrad --- drivers/common/mlx5/mlx5_prm.h | 12 ++ drivers/net/mlx5/hws/mlx5dr.h | 42 +++++++ drivers/net/mlx5/hws/mlx5dr_action.c | 172 +++++++++++++++++++++++++- drivers/net/mlx5/hws/mlx5dr_action.h | 44 ++++--- drivers/net/mlx5/hws/mlx5dr_cmd.c | 8 ++ drivers/net/mlx5/hws/mlx5dr_cmd.h | 2 +- drivers/net/mlx5/hws/mlx5dr_debug.c | 2 + drivers/net/mlx5/hws/mlx5dr_matcher.c | 5 + 8 files changed, 266 insertions(+), 21 deletions(-) diff --git a/drivers/common/mlx5/mlx5_prm.h b/drivers/common/mlx5/mlx5_prm.h index 2b499666f8..0eecf0691b 100644 --- a/drivers/common/mlx5/mlx5_prm.h +++ b/drivers/common/mlx5/mlx5_prm.h @@ -3498,6 +3498,8 @@ enum mlx5_ifc_stc_action_type { MLX5_IFC_STC_ACTION_TYPE_HEADER_INSERT = 0x0b, MLX5_IFC_STC_ACTION_TYPE_TAG = 0x0c, MLX5_IFC_STC_ACTION_TYPE_ACC_MODIFY_LIST = 0x0e, + MLX5_IFC_STC_ACTION_TYPE_CRYPTO_IPSEC_ENCRYPTION = 0x10, + MLX5_IFC_STC_ACTION_TYPE_CRYPTO_IPSEC_DECRYPTION = 0x11, MLX5_IFC_STC_ACTION_TYPE_ASO = 0x12, MLX5_IFC_STC_ACTION_TYPE_COUNTER = 0x14, MLX5_IFC_STC_ACTION_TYPE_ADD_FIELD = 0x1b, @@ -3546,6 +3548,14 @@ struct mlx5_ifc_stc_ste_param_execute_aso_bits { u8 reserved_at_28[0x18]; }; +struct mlx5_ifc_stc_ste_param_ipsec_encrypt_bits { + u8 ipsec_object_id[0x20]; +}; + +struct mlx5_ifc_stc_ste_param_ipsec_decrypt_bits { + u8 ipsec_object_id[0x20]; +}; + struct mlx5_ifc_stc_ste_param_header_modify_list_bits { u8 header_modify_pattern_id[0x20]; u8 header_modify_argument_id[0x20]; @@ -3612,6 +3622,8 @@ union mlx5_ifc_stc_param_bits { struct mlx5_ifc_set_action_in_bits set; struct mlx5_ifc_copy_action_in_bits copy; struct mlx5_ifc_stc_ste_param_vport_bits vport; + struct mlx5_ifc_stc_ste_param_ipsec_encrypt_bits ipsec_encrypt; + struct mlx5_ifc_stc_ste_param_ipsec_decrypt_bits ipsec_decrypt; u8 reserved_at_0[0x80]; }; diff --git a/drivers/net/mlx5/hws/mlx5dr.h b/drivers/net/mlx5/hws/mlx5dr.h index 39d902e762..74d05229c7 100644 --- a/drivers/net/mlx5/hws/mlx5dr.h +++ b/drivers/net/mlx5/hws/mlx5dr.h @@ -45,6 +45,8 @@ enum mlx5dr_action_type { MLX5DR_ACTION_TYP_PUSH_VLAN, MLX5DR_ACTION_TYP_ASO_METER, MLX5DR_ACTION_TYP_ASO_CT, + MLX5DR_ACTION_TYP_CRYPTO_ENCRYPT, + MLX5DR_ACTION_TYP_CRYPTO_DECRYPT, MLX5DR_ACTION_TYP_DEST_ROOT, MLX5DR_ACTION_TYP_DEST_ARRAY, MLX5DR_ACTION_TYP_MAX, @@ -176,6 +178,22 @@ struct mlx5dr_action_mh_pattern { __be64 *data; }; +enum mlx5dr_action_crypto_op { + MLX5DR_ACTION_CRYPTO_OP_NONE, + MLX5DR_ACTION_CRYPTO_OP_ENCRYPT, + MLX5DR_ACTION_CRYPTO_OP_DECRYPT, +}; + +enum mlx5dr_action_crypto_type { + MLX5DR_ACTION_CRYPTO_TYPE_NISP, + MLX5DR_ACTION_CRYPTO_TYPE_IPSEC, +}; + +struct mlx5dr_action_crypto_attr { + enum mlx5dr_action_crypto_type crypto_type; + enum mlx5dr_action_crypto_op op; +}; + /* In actions that take offset, the offset is unique, pointing to a single * resource and the user should not reuse the same index because data changing * is not atomic. @@ -216,6 +234,10 @@ struct mlx5dr_rule_action { uint32_t offset; enum mlx5dr_action_aso_ct_flags direction; } aso_ct; + + struct { + uint32_t offset; + } crypto; }; }; @@ -691,6 +713,26 @@ mlx5dr_action_create_dest_root(struct mlx5dr_context *ctx, uint16_t priority, uint32_t flags); +/* Create crypto action, this action will create specific security protocol + * encryption/decryption, for now we only support IPSec protocol. + * + * @param[in] ctx + * The context in which the new action will be created. + * @param[in] devx_obj + * The SADB corresponding devx obj + * @param[in] attr + * attributes: specifies if to encrypt/decrypt, + * also specifies the crypto security protocol. + * @param[in] flags + * Action creation flags. (enum mlx5dr_action_flags) + * @return pointer to mlx5dr_action on success NULL otherwise. + */ +struct mlx5dr_action * +mlx5dr_action_create_crypto(struct mlx5dr_context *ctx, + struct mlx5dr_devx_obj *devx_obj, + struct mlx5dr_action_crypto_attr *attr, + uint32_t flags); + /* Destroy direct rule action. * * @param[in] action diff --git a/drivers/net/mlx5/hws/mlx5dr_action.c b/drivers/net/mlx5/hws/mlx5dr_action.c index 11a7c58925..4910b4f730 100644 --- a/drivers/net/mlx5/hws/mlx5dr_action.c +++ b/drivers/net/mlx5/hws/mlx5dr_action.c @@ -9,11 +9,12 @@ #define MLX5DR_ACTION_METER_INIT_COLOR_OFFSET 1 /* This is the maximum allowed action order for each table type: - * TX: POP_VLAN, CTR, ASO_METER, AS_CT, PUSH_VLAN, MODIFY, ENCAP, Term - * RX: TAG, DECAP, POP_VLAN, CTR, ASO_METER, ASO_CT, PUSH_VLAN, MODIFY, - * ENCAP, Term - * FDB: DECAP, POP_VLAN, CTR, ASO_METER, ASO_CT, PUSH_VLAN, MODIFY, - * ENCAP, Term + * TX: POP_VLAN, CTR, ASO_METER, AS_CT, PUSH_VLAN, MODIFY, ENCAP, ENCRYPT, + * Term + * RX: TAG, DECAP, POP_VLAN, CTR, DECRYPT, ASO_METER, ASO_CT, PUSH_VLAN, + * MODIFY, ENCAP, Term + * FDB: DECAP, POP_VLAN, CTR, DECRYPT, ASO_METER, ASO_CT, PUSH_VLAN, MODIFY, + * ENCAP, ENCRYPT, Term */ static const uint32_t action_order_arr[MLX5DR_TABLE_TYPE_MAX][MLX5DR_ACTION_TYP_MAX] = { [MLX5DR_TABLE_TYPE_NIC_RX] = { @@ -23,6 +24,7 @@ static const uint32_t action_order_arr[MLX5DR_TABLE_TYPE_MAX][MLX5DR_ACTION_TYP_ BIT(MLX5DR_ACTION_TYP_POP_VLAN), BIT(MLX5DR_ACTION_TYP_POP_VLAN), BIT(MLX5DR_ACTION_TYP_CTR), + BIT(MLX5DR_ACTION_TYP_CRYPTO_DECRYPT), BIT(MLX5DR_ACTION_TYP_ASO_METER), BIT(MLX5DR_ACTION_TYP_ASO_CT), BIT(MLX5DR_ACTION_TYP_PUSH_VLAN), @@ -49,6 +51,7 @@ static const uint32_t action_order_arr[MLX5DR_TABLE_TYPE_MAX][MLX5DR_ACTION_TYP_ BIT(MLX5DR_ACTION_TYP_MODIFY_HDR), BIT(MLX5DR_ACTION_TYP_REFORMAT_L2_TO_TNL_L2) | BIT(MLX5DR_ACTION_TYP_REFORMAT_L2_TO_TNL_L3), + BIT(MLX5DR_ACTION_TYP_CRYPTO_ENCRYPT), BIT(MLX5DR_ACTION_TYP_TBL) | BIT(MLX5DR_ACTION_TYP_MISS) | BIT(MLX5DR_ACTION_TYP_DROP) | @@ -61,6 +64,7 @@ static const uint32_t action_order_arr[MLX5DR_TABLE_TYPE_MAX][MLX5DR_ACTION_TYP_ BIT(MLX5DR_ACTION_TYP_POP_VLAN), BIT(MLX5DR_ACTION_TYP_POP_VLAN), BIT(MLX5DR_ACTION_TYP_CTR), + BIT(MLX5DR_ACTION_TYP_CRYPTO_DECRYPT), BIT(MLX5DR_ACTION_TYP_ASO_METER), BIT(MLX5DR_ACTION_TYP_ASO_CT), BIT(MLX5DR_ACTION_TYP_PUSH_VLAN), @@ -68,6 +72,7 @@ static const uint32_t action_order_arr[MLX5DR_TABLE_TYPE_MAX][MLX5DR_ACTION_TYP_ BIT(MLX5DR_ACTION_TYP_MODIFY_HDR), BIT(MLX5DR_ACTION_TYP_REFORMAT_L2_TO_TNL_L2) | BIT(MLX5DR_ACTION_TYP_REFORMAT_L2_TO_TNL_L3), + BIT(MLX5DR_ACTION_TYP_CRYPTO_ENCRYPT), BIT(MLX5DR_ACTION_TYP_TBL) | BIT(MLX5DR_ACTION_TYP_MISS) | BIT(MLX5DR_ACTION_TYP_VPORT) | @@ -266,6 +271,41 @@ bool mlx5dr_action_check_combo(enum mlx5dr_action_type *user_actions, return valid_combo; } +bool mlx5dr_action_check_restrictions(struct mlx5dr_matcher *matcher, + enum mlx5dr_action_type *actions) +{ + uint32_t restricted_bits; + uint8_t idx = 0; + + /* Check for restricted actions, these actions are restricted + * to RX or TX only in FDB domain. + * if one of these actions presented require correct optimize_flow_src. + */ + if (matcher->tbl->type != MLX5DR_TABLE_TYPE_FDB) + return false; + + switch (matcher->attr.optimize_flow_src) { + case MLX5DR_MATCHER_FLOW_SRC_WIRE: + restricted_bits = BIT(MLX5DR_ACTION_TYP_CRYPTO_ENCRYPT); + break; + case MLX5DR_MATCHER_FLOW_SRC_VPORT: + restricted_bits = BIT(MLX5DR_ACTION_TYP_CRYPTO_DECRYPT); + break; + default: + restricted_bits = BIT(MLX5DR_ACTION_TYP_CRYPTO_ENCRYPT) | + BIT(MLX5DR_ACTION_TYP_CRYPTO_DECRYPT); + } + + while (actions[idx] != MLX5DR_ACTION_TYP_LAST) { + if (BIT(actions[idx++]) & restricted_bits) { + DR_LOG(ERR, "Invalid actions combination containing restricted actions was provided"); + return true; + } + } + + return false; +} + int mlx5dr_action_root_build_attr(struct mlx5dr_rule_action rule_actions[], uint32_t num_actions, struct mlx5dv_flow_action_attr *attr) @@ -383,6 +423,24 @@ mlx5dr_action_fixup_stc_attr(struct mlx5dr_context *ctx, use_fixup = true; break; + case MLX5_IFC_STC_ACTION_TYPE_CRYPTO_IPSEC_ENCRYPTION: + if (fw_tbl_type == FS_FT_FDB_RX) { + fixup_stc_attr->action_type = MLX5_IFC_STC_ACTION_TYPE_NOP; + fixup_stc_attr->action_offset = stc_attr->action_offset; + fixup_stc_attr->stc_offset = stc_attr->stc_offset; + use_fixup = true; + } + break; + + case MLX5_IFC_STC_ACTION_TYPE_CRYPTO_IPSEC_DECRYPTION: + if (fw_tbl_type == FS_FT_FDB_TX) { + fixup_stc_attr->action_type = MLX5_IFC_STC_ACTION_TYPE_NOP; + fixup_stc_attr->action_offset = stc_attr->action_offset; + fixup_stc_attr->stc_offset = stc_attr->stc_offset; + use_fixup = true; + } + break; + default: break; } @@ -605,6 +663,16 @@ static void mlx5dr_action_fill_stc_attr(struct mlx5dr_action *action, attr->insert_header.insert_offset = MLX5DR_ACTION_HDR_LEN_L2_MACS; attr->insert_header.header_size = MLX5DR_ACTION_HDR_LEN_L2_VLAN; break; + case MLX5DR_ACTION_TYP_CRYPTO_ENCRYPT: + attr->action_type = MLX5_IFC_STC_ACTION_TYPE_CRYPTO_IPSEC_ENCRYPTION; + attr->action_offset = MLX5DR_ACTION_OFFSET_DW5; + attr->id = obj->id; + break; + case MLX5DR_ACTION_TYP_CRYPTO_DECRYPT: + attr->action_type = MLX5_IFC_STC_ACTION_TYPE_CRYPTO_IPSEC_DECRYPTION; + attr->action_offset = MLX5DR_ACTION_OFFSET_DW5; + attr->id = obj->id; + break; default: DR_LOG(ERR, "Invalid action type %d", action->type); assert(false); @@ -1943,6 +2011,55 @@ mlx5dr_action_create_dest_root(struct mlx5dr_context *ctx, return NULL; } +struct mlx5dr_action * +mlx5dr_action_create_crypto(struct mlx5dr_context *ctx, + struct mlx5dr_devx_obj *devx_obj, + struct mlx5dr_action_crypto_attr *attr, + uint32_t flags) +{ + enum mlx5dr_action_type action_type; + struct mlx5dr_action *action; + + if (mlx5dr_action_is_root_flags(flags)) { + DR_LOG(ERR, "Action flags must be only non root (HWS)"); + rte_errno = ENOTSUP; + return NULL; + } + + if (attr->crypto_type != MLX5DR_ACTION_CRYPTO_TYPE_IPSEC) { + rte_errno = ENOTSUP; + return NULL; + } + + if (attr->op == MLX5DR_ACTION_CRYPTO_OP_ENCRYPT) { + if (flags & MLX5DR_ACTION_FLAG_HWS_RX) { + rte_errno = EINVAL; + return NULL; + } + action_type = MLX5DR_ACTION_TYP_CRYPTO_ENCRYPT; + } else if (attr->op == MLX5DR_ACTION_CRYPTO_OP_DECRYPT) { + if (flags & MLX5DR_ACTION_FLAG_HWS_TX) { + rte_errno = EINVAL; + return NULL; + } + action_type = MLX5DR_ACTION_TYP_CRYPTO_DECRYPT; + } else { + rte_errno = ENOTSUP; + return NULL; + } + + action = mlx5dr_action_create_generic(ctx, flags, action_type); + if (!action) + return NULL; + + if (mlx5dr_action_create_stcs(action, devx_obj)) { + simple_free(action); + return NULL; + } + + return action; +} + static void mlx5dr_action_destroy_hws(struct mlx5dr_action *action) { struct mlx5dr_devx_obj *obj = NULL; @@ -1963,6 +2080,8 @@ static void mlx5dr_action_destroy_hws(struct mlx5dr_action *action) case MLX5DR_ACTION_TYP_ASO_METER: case MLX5DR_ACTION_TYP_ASO_CT: case MLX5DR_ACTION_TYP_PUSH_VLAN: + case MLX5DR_ACTION_TYP_CRYPTO_ENCRYPT: + case MLX5DR_ACTION_TYP_CRYPTO_DECRYPT: mlx5dr_action_destroy_stcs(action); break; case MLX5DR_ACTION_TYP_DEST_ROOT: @@ -2460,6 +2579,33 @@ mlx5dr_action_setter_common_decap(struct mlx5dr_actions_apply_data *apply, MLX5DR_CONTEXT_SHARED_STC_DECAP)); } +static void +mlx5dr_action_setter_crypto_encryption(struct mlx5dr_actions_apply_data *apply, + struct mlx5dr_actions_wqe_setter *setter) +{ + struct mlx5dr_rule_action *rule_action; + + rule_action = &apply->rule_action[setter->idx_single]; + apply->wqe_data[MLX5DR_ACTION_OFFSET_DW5] = htobe32(rule_action->crypto.offset); + mlx5dr_action_apply_stc(apply, MLX5DR_ACTION_STC_IDX_DW5, setter->idx_single); +} + +static void +mlx5dr_action_setter_crypto_decryption(struct mlx5dr_actions_apply_data *apply, + struct mlx5dr_actions_wqe_setter *setter) +{ + struct mlx5dr_rule_action *rule_action; + + rule_action = &apply->rule_action[setter->idx_triple]; + + mlx5dr_action_apply_stc(apply, MLX5DR_ACTION_STC_IDX_DW5, setter->idx_triple); + apply->wqe_ctrl->stc_ix[MLX5DR_ACTION_STC_IDX_DW6] = 0; + apply->wqe_ctrl->stc_ix[MLX5DR_ACTION_STC_IDX_DW7] = 0; + apply->wqe_data[MLX5DR_ACTION_OFFSET_DW5] = htobe32(rule_action->crypto.offset); + apply->wqe_data[MLX5DR_ACTION_OFFSET_DW6] = 0; + apply->wqe_data[MLX5DR_ACTION_OFFSET_DW7] = 0; +} + int mlx5dr_action_template_process(struct mlx5dr_action_template *at) { struct mlx5dr_actions_wqe_setter *start_setter = at->setters + 1; @@ -2594,6 +2740,22 @@ int mlx5dr_action_template_process(struct mlx5dr_action_template *at) setter->idx_ctr = i; break; + case MLX5DR_ACTION_TYP_CRYPTO_ENCRYPT: + /* Single encryption action, consume triple due to HW limitations */ + setter = mlx5dr_action_setter_find_first(last_setter, ASF_TRIPLE); + setter->flags |= ASF_TRIPLE; + setter->set_single = &mlx5dr_action_setter_crypto_encryption; + setter->idx_single = i; + break; + + case MLX5DR_ACTION_TYP_CRYPTO_DECRYPT: + /* Triple decryption action */ + setter = mlx5dr_action_setter_find_first(last_setter, ASF_TRIPLE); + setter->flags |= ASF_TRIPLE; + setter->set_triple = &mlx5dr_action_setter_crypto_decryption; + setter->idx_triple = i; + break; + default: DR_LOG(ERR, "Unsupported action type: %d", action_type[i]); rte_errno = ENOTSUP; diff --git a/drivers/net/mlx5/hws/mlx5dr_action.h b/drivers/net/mlx5/hws/mlx5dr_action.h index 582a38bebc..6bfa0bcc4a 100644 --- a/drivers/net/mlx5/hws/mlx5dr_action.h +++ b/drivers/net/mlx5/hws/mlx5dr_action.h @@ -21,6 +21,8 @@ enum mlx5dr_action_stc_idx { MLX5DR_ACTION_STC_IDX_LAST_COMBO1 = 3, /* STC combo2: CTR, 3 x SINGLE, Hit */ MLX5DR_ACTION_STC_IDX_LAST_COMBO2 = 4, + /* STC combo2: CTR, TRIPLE, Hit */ + MLX5DR_ACTION_STC_IDX_LAST_COMBO3 = 2, }; enum mlx5dr_action_offset { @@ -52,6 +54,7 @@ enum mlx5dr_action_setter_flag { ASF_SINGLE2 = 1 << 1, ASF_SINGLE3 = 1 << 2, ASF_DOUBLE = ASF_SINGLE2 | ASF_SINGLE3, + ASF_TRIPLE = ASF_SINGLE1 | ASF_DOUBLE, ASF_REPARSE = 1 << 3, ASF_REMOVE = 1 << 4, ASF_MODIFY = 1 << 5, @@ -94,10 +97,12 @@ typedef void (*mlx5dr_action_setter_fp) struct mlx5dr_actions_wqe_setter { mlx5dr_action_setter_fp set_single; mlx5dr_action_setter_fp set_double; + mlx5dr_action_setter_fp set_triple; mlx5dr_action_setter_fp set_hit; mlx5dr_action_setter_fp set_ctr; uint8_t idx_single; uint8_t idx_double; + uint8_t idx_triple; uint8_t idx_ctr; uint8_t idx_hit; uint8_t flags; @@ -183,6 +188,9 @@ int mlx5dr_action_template_process(struct mlx5dr_action_template *at); bool mlx5dr_action_check_combo(enum mlx5dr_action_type *user_actions, enum mlx5dr_table_type table_type); +bool mlx5dr_action_check_restrictions(struct mlx5dr_matcher *matcher, + enum mlx5dr_action_type *actions); + int mlx5dr_action_alloc_single_stc(struct mlx5dr_context *ctx, struct mlx5dr_cmd_stc_modify_attr *stc_attr, uint32_t table_type, @@ -230,26 +238,32 @@ mlx5dr_action_apply_setter(struct mlx5dr_actions_apply_data *apply, uint8_t num_of_actions; /* Set control counter */ - if (setter->flags & ASF_CTR) + if (setter->set_ctr) setter->set_ctr(apply, setter); else mlx5dr_action_setter_default_ctr(apply, setter); - /* Set single and double on match */ if (!is_jumbo) { - if (setter->flags & ASF_SINGLE1) - setter->set_single(apply, setter); - else - mlx5dr_action_setter_default_single(apply, setter); - - if (setter->flags & ASF_DOUBLE) - setter->set_double(apply, setter); - else - mlx5dr_action_setter_default_double(apply, setter); - - num_of_actions = setter->flags & ASF_DOUBLE ? - MLX5DR_ACTION_STC_IDX_LAST_COMBO1 : - MLX5DR_ACTION_STC_IDX_LAST_COMBO2; + if (unlikely(setter->set_triple)) { + /* Set triple on match */ + setter->set_triple(apply, setter); + num_of_actions = MLX5DR_ACTION_STC_IDX_LAST_COMBO3; + } else { + /* Set single and double on match */ + if (setter->set_single) + setter->set_single(apply, setter); + else + mlx5dr_action_setter_default_single(apply, setter); + + if (setter->set_double) + setter->set_double(apply, setter); + else + mlx5dr_action_setter_default_double(apply, setter); + + num_of_actions = setter->set_double ? + MLX5DR_ACTION_STC_IDX_LAST_COMBO1 : + MLX5DR_ACTION_STC_IDX_LAST_COMBO2; + } } else { apply->wqe_data[MLX5DR_ACTION_OFFSET_DW5] = 0; apply->wqe_data[MLX5DR_ACTION_OFFSET_DW6] = 0; diff --git a/drivers/net/mlx5/hws/mlx5dr_cmd.c b/drivers/net/mlx5/hws/mlx5dr_cmd.c index c52cdd0767..3b3690699d 100644 --- a/drivers/net/mlx5/hws/mlx5dr_cmd.c +++ b/drivers/net/mlx5/hws/mlx5dr_cmd.c @@ -541,6 +541,14 @@ mlx5dr_cmd_stc_modify_set_stc_param(struct mlx5dr_cmd_stc_modify_attr *stc_attr, MLX5_SET(stc_ste_param_remove_words, stc_parm, remove_size, stc_attr->remove_words.num_of_words); break; + case MLX5_IFC_STC_ACTION_TYPE_CRYPTO_IPSEC_ENCRYPTION: + MLX5_SET(stc_ste_param_ipsec_encrypt, stc_parm, ipsec_object_id, + stc_attr->id); + break; + case MLX5_IFC_STC_ACTION_TYPE_CRYPTO_IPSEC_DECRYPTION: + MLX5_SET(stc_ste_param_ipsec_decrypt, stc_parm, ipsec_object_id, + stc_attr->id); + break; default: DR_LOG(ERR, "Not supported type %d", stc_attr->action_type); rte_errno = EINVAL; diff --git a/drivers/net/mlx5/hws/mlx5dr_cmd.h b/drivers/net/mlx5/hws/mlx5dr_cmd.h index 03db62e2e2..7bbb684dbd 100644 --- a/drivers/net/mlx5/hws/mlx5dr_cmd.h +++ b/drivers/net/mlx5/hws/mlx5dr_cmd.h @@ -100,7 +100,7 @@ struct mlx5dr_cmd_stc_modify_attr { uint8_t action_offset; enum mlx5_ifc_stc_action_type action_type; union { - uint32_t id; /* TIRN, TAG, FT ID, STE ID */ + uint32_t id; /* TIRN, TAG, FT ID, STE ID, CRYPTO */ struct { uint8_t decap; uint16_t start_anchor; diff --git a/drivers/net/mlx5/hws/mlx5dr_debug.c b/drivers/net/mlx5/hws/mlx5dr_debug.c index e7b1f2cc32..8cf3909606 100644 --- a/drivers/net/mlx5/hws/mlx5dr_debug.c +++ b/drivers/net/mlx5/hws/mlx5dr_debug.c @@ -24,6 +24,8 @@ const char *mlx5dr_debug_action_type_str[] = { [MLX5DR_ACTION_TYP_ASO_CT] = "ASO_CT", [MLX5DR_ACTION_TYP_DEST_ROOT] = "DEST_ROOT", [MLX5DR_ACTION_TYP_DEST_ARRAY] = "DEST_ARRAY", + [MLX5DR_ACTION_TYP_CRYPTO_ENCRYPT] = "CRYPTO_ENCRYPT", + [MLX5DR_ACTION_TYP_CRYPTO_DECRYPT] = "CRYPTO_DECRYPT", }; static_assert(ARRAY_SIZE(mlx5dr_debug_action_type_str) == MLX5DR_ACTION_TYP_MAX, diff --git a/drivers/net/mlx5/hws/mlx5dr_matcher.c b/drivers/net/mlx5/hws/mlx5dr_matcher.c index a82c182460..6f74cf3677 100644 --- a/drivers/net/mlx5/hws/mlx5dr_matcher.c +++ b/drivers/net/mlx5/hws/mlx5dr_matcher.c @@ -714,6 +714,11 @@ static int mlx5dr_matcher_check_and_process_at(struct mlx5dr_matcher *matcher, return rte_errno; } + if (mlx5dr_action_check_restrictions(matcher, at->action_type_arr)) { + rte_errno = EINVAL; + return rte_errno; + } + /* Process action template to setters */ ret = mlx5dr_action_template_process(at); if (ret) {