Cover Letter Detail
Show a cover letter.
GET /api/covers/957177/?format=api
{ "id": 957177, "url": "http://patchwork.ozlabs.org/api/covers/957177/?format=api", "web_url": "http://patchwork.ozlabs.org/project/intel-wired-lan/cover/1534185825-12451-1-git-send-email-shannon.nelson@oracle.com/", "project": { "id": 46, "url": "http://patchwork.ozlabs.org/api/projects/46/?format=api", "name": "Intel Wired Ethernet development", "link_name": "intel-wired-lan", "list_id": "intel-wired-lan.osuosl.org", "list_email": "intel-wired-lan@osuosl.org", "web_url": "", "scm_url": "", "webscm_url": "", "list_archive_url": "", "list_archive_url_format": "", "commit_url_format": "" }, "msgid": "<1534185825-12451-1-git-send-email-shannon.nelson@oracle.com>", "list_archive_url": null, "date": "2018-08-13T18:43:37", "name": "[next-queue,0/8] ixgbe/ixgbevf: IPsec offload support for VFs", "submitter": { "id": 70766, "url": "http://patchwork.ozlabs.org/api/people/70766/?format=api", "name": "Shannon Nelson", "email": "shannon.nelson@oracle.com" }, "mbox": "http://patchwork.ozlabs.org/project/intel-wired-lan/cover/1534185825-12451-1-git-send-email-shannon.nelson@oracle.com/mbox/", "series": [ { "id": 60595, "url": "http://patchwork.ozlabs.org/api/series/60595/?format=api", "web_url": "http://patchwork.ozlabs.org/project/intel-wired-lan/list/?series=60595", "date": "2018-08-13T18:43:38", "name": "ixgbe/ixgbevf: IPsec offload support for VFs", "version": 1, "mbox": "http://patchwork.ozlabs.org/series/60595/mbox/" } ], "comments": "http://patchwork.ozlabs.org/api/covers/957177/comments/", "headers": { "Return-Path": "<intel-wired-lan-bounces@osuosl.org>", "X-Original-To": [ "incoming@patchwork.ozlabs.org", "intel-wired-lan@lists.osuosl.org" ], "Delivered-To": [ "patchwork-incoming@bilbo.ozlabs.org", "intel-wired-lan@lists.osuosl.org" ], "Authentication-Results": [ "ozlabs.org;\n\tspf=pass (mailfrom) smtp.mailfrom=osuosl.org\n\t(client-ip=140.211.166.137; helo=fraxinus.osuosl.org;\n\tenvelope-from=intel-wired-lan-bounces@osuosl.org;\n\treceiver=<UNKNOWN>)", "ozlabs.org;\n\tdmarc=fail (p=none dis=none) header.from=oracle.com", "ozlabs.org;\n\tdkim=fail reason=\"signature verification failed\" (2048-bit key;\n\tunprotected) header.d=oracle.com header.i=@oracle.com\n\theader.b=\"UgIYoOjd\"; dkim-atps=neutral" ], "Received": [ "from fraxinus.osuosl.org (smtp4.osuosl.org [140.211.166.137])\n\t(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))\n\t(No client certificate requested)\n\tby ozlabs.org (Postfix) with ESMTPS id 41q4Pr19hDz9s8k\n\tfor <incoming@patchwork.ozlabs.org>;\n\tTue, 14 Aug 2018 04:44:00 +1000 (AEST)", "from localhost (localhost [127.0.0.1])\n\tby fraxinus.osuosl.org (Postfix) with ESMTP id BADBC84742;\n\tMon, 13 Aug 2018 18:43:58 +0000 (UTC)", "from fraxinus.osuosl.org ([127.0.0.1])\n\tby localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)\n\twith ESMTP id xKfEIIYLPq1Z; Mon, 13 Aug 2018 18:43:57 +0000 (UTC)", "from ash.osuosl.org (ash.osuosl.org [140.211.166.34])\n\tby fraxinus.osuosl.org (Postfix) with ESMTP id EF860847C9;\n\tMon, 13 Aug 2018 18:43:57 +0000 (UTC)", "from fraxinus.osuosl.org (smtp4.osuosl.org [140.211.166.137])\n\tby ash.osuosl.org (Postfix) with ESMTP id 3C9F91C0574\n\tfor <intel-wired-lan@lists.osuosl.org>;\n\tMon, 13 Aug 2018 18:43:56 +0000 (UTC)", "from localhost (localhost [127.0.0.1])\n\tby fraxinus.osuosl.org (Postfix) with ESMTP id 39D1084742\n\tfor <intel-wired-lan@lists.osuosl.org>;\n\tMon, 13 Aug 2018 18:43:56 +0000 (UTC)", "from fraxinus.osuosl.org ([127.0.0.1])\n\tby localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)\n\twith ESMTP id riA0mY0_C5w7 for <intel-wired-lan@lists.osuosl.org>;\n\tMon, 13 Aug 2018 18:43:55 +0000 (UTC)", "from aserp2120.oracle.com (aserp2120.oracle.com [141.146.126.78])\n\tby fraxinus.osuosl.org (Postfix) with ESMTPS id 7074084736\n\tfor <intel-wired-lan@lists.osuosl.org>;\n\tMon, 13 Aug 2018 18:43:55 +0000 (UTC)", "from pps.filterd (aserp2120.oracle.com [127.0.0.1])\n\tby aserp2120.oracle.com (8.16.0.22/8.16.0.22) with SMTP id\n\tw7DIefQq038579; Mon, 13 Aug 2018 18:43:52 GMT", "from aserv0021.oracle.com (aserv0021.oracle.com [141.146.126.233])\n\tby aserp2120.oracle.com with ESMTP id 2ksqrp5hvq-1\n\t(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256\n\tverify=OK); Mon, 13 Aug 2018 18:43:52 +0000", "from aserv0121.oracle.com (aserv0121.oracle.com [141.146.126.235])\n\tby aserv0021.oracle.com (8.14.4/8.14.4) with ESMTP id\n\tw7DIhqX9022544\n\t(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256\n\tverify=OK); Mon, 13 Aug 2018 18:43:52 GMT", "from abhmp0008.oracle.com (abhmp0008.oracle.com [141.146.116.14])\n\tby aserv0121.oracle.com (8.14.4/8.13.8) with ESMTP id\n\tw7DIhpXG025325; Mon, 13 Aug 2018 18:43:51 GMT", "from slnelson-mint18.us.oracle.com (/10.159.144.11)\n\tby default (Oracle Beehive Gateway v4.0)\n\twith ESMTP ; Mon, 13 Aug 2018 11:43:51 -0700" ], "X-Virus-Scanned": [ "amavisd-new at osuosl.org", "amavisd-new at osuosl.org" ], "X-Greylist": "domain auto-whitelisted by SQLgrey-1.7.6", "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com;\n\th=from : to : cc :\n\tsubject : date : message-id; s=corp-2018-07-02;\n\tbh=UEB7SHkzXd6QoReef5yNnsNp/TQthXnrYeZyKrReljE=;\n\tb=UgIYoOjd9XZz3H4KT8KwF5X6uCon7tyVJPEkiw17dOGevJH5Q9WIpwy1gtYAPf8L7a4n\n\t0Fiqn36fSKcID7P18F5CGoc/bMwFsk4m7NFReoDR/Pve62Jg40ItHVr+bTr9ET8rZ9pT\n\tUwltHsrAOZNEehYxB1/fyyo+N9LBz8dHSJCSuT9wzMxSlJMfWepzgYcpnXhvSOi0DpYb\n\tGuknaYEWRanALBmcvST58xZKjNk/LrJOmWMKK4QnInaFuq18B/TK6jlOgMTMFLnN8JyQ\n\tRJzg2BPjm6VP8wQL5U2O+jjO2TsmoLILG1XI3hyYIZEIvQbMqDp6ujHbeDmSbvU5Nqnm\n\tEg== ", "From": "Shannon Nelson <shannon.nelson@oracle.com>", "To": "intel-wired-lan@lists.osuosl.org, jeffrey.t.kirsher@intel.com", "Date": "Mon, 13 Aug 2018 11:43:37 -0700", "Message-Id": "<1534185825-12451-1-git-send-email-shannon.nelson@oracle.com>", "X-Mailer": "git-send-email 2.7.4", "X-Proofpoint-Virus-Version": "vendor=nai engine=5900 definitions=8984\n\tsignatures=668707", "X-Proofpoint-Spam-Details": "rule=notspam policy=default score=0 suspectscore=0\n\tmalwarescore=0\n\tphishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999\n\tadultscore=0 classifier=spam adjust=0 reason=mlx scancount=1\n\tengine=8.0.1-1807170000 definitions=main-1808130188", "Subject": "[Intel-wired-lan] [PATCH next-queue 0/8] ixgbe/ixgbevf: IPsec\n\toffload support for VFs", "X-BeenThere": "intel-wired-lan@osuosl.org", "X-Mailman-Version": "2.1.24", "Precedence": "list", "List-Id": "Intel Wired Ethernet Linux Kernel Driver Development\n\t<intel-wired-lan.osuosl.org>", "List-Unsubscribe": "<https://lists.osuosl.org/mailman/options/intel-wired-lan>, \n\t<mailto:intel-wired-lan-request@osuosl.org?subject=unsubscribe>", "List-Archive": "<http://lists.osuosl.org/pipermail/intel-wired-lan/>", "List-Post": "<mailto:intel-wired-lan@osuosl.org>", "List-Help": "<mailto:intel-wired-lan-request@osuosl.org?subject=help>", "List-Subscribe": "<https://lists.osuosl.org/mailman/listinfo/intel-wired-lan>, \n\t<mailto:intel-wired-lan-request@osuosl.org?subject=subscribe>", "Cc": "steffen.klassert@secunet.com, netdev@vger.kernel.org", "MIME-Version": "1.0", "Content-Type": "text/plain; charset=\"us-ascii\"", "Content-Transfer-Encoding": "7bit", "Errors-To": "intel-wired-lan-bounces@osuosl.org", "Sender": "\"Intel-wired-lan\" <intel-wired-lan-bounces@osuosl.org>" }, "content": "This set of patches implements IPsec hardware offload for VF devices in\nIntel's 10Gbe x540 family of Ethernet devices.\n\nThe IPsec HW offload feature has been in the x540/Niantic family of\nnetwork devices since their release in 2009, but there was no Linux\nkernel support for the offload until 2017. After the XFRM code added\nsupport for the offload last year, the hw offload was added to the ixgbe\nPF driver.\n\nSince the related x540 VF device uses same setup as the PF for implementing\nthe offload, adding the feature to the ixgbevf seemed like a good idea.\nIn this case, the PF owns the device registers, so the VF simply packages\nup the request information into a VF<->PF message and the PF does the\ndevice configuration. The resulting IPsec throughput is roughly equivalent\nto what we see in the PF - nearly line-rate, with the expected drop in CPU\ncycles burned. (I'm not great at performance statistics, I'll let better\nfolks do the actual measurements as they pertain to their own usage)\n\nTo make use of the capability, first two things are needed: the PF must\nbe told to enable the offload for VFs (it is off by default) and the VF\nmust be trusted. A new ethtool priv-flag for ixgbe is added to control\nVF offload support. For example:\n\n\tethtool --set-priv-flags eth0 vf-ipsec on\n\tip link set eth0 vf 1 trust on\n\nOnce those are set up and the VF device is UP, the user can add SAs the\nsame as for PFs, whether the VF is in the host or has been assigned to\na VM.\n\nNote that the x540 chip supports a total of 1024 Rx plus 1024 Tx Security\nAssociations (SAs), shared among the PF and VFs that might request them.\nIt is entirely possible for a single VF to soak up all the offload\ncapability, which would likely annoy some people. It seems rather\narbitrary to try to set a limit for how many a VF could be allowed,\nbut this is mitigated somewhat by the need for \"trust\" and \"vf-ipsec\"\nto be enabled. I suppose we could come up with a way to make a limit\nconfigurable, but there is no existing method for adding that kind\nconfiguration so I'll leave that to a future discussion.\n\nCurrently this doesn't support Tx offload as the hardware encryption\nengine doesn't seem to engage on the Tx packets. This may be a lingering\ndriver bug, more investigation is needed. Until then, requests for a Tx\noffload are failed and the userland requester will need to add Tx SAs\nwithout the offload attribute.\n\nGiven that we don't have Tx offload support, the benefit here is less\nthan it could be, but is definitely still noticeable. For example, with\ninformal iperf testing over a 10Gbps link, with full offload in a PF on\none side and a VF in a VM on the other side on a CPU with AES instructions:\n\n Reference:\n\tNo IPsec: 9.4 Gbps\n\tIPsec offload btwn two PFs: 9.2 Gbps\n VF as the iperf receiver:\n\tIPsec offload on PF, none on VF: 6.8 Gbps\n\tIPsec offload on PF and VF: 9.2 Gbps << biggest benefit\n VF as the iperf sender:\n\tIPsec offload on PF, none on VF: 4.8 Gbps\n\tIPsec offload on PF and VF: 4.8 Gbps\n\nThe iperf traffic is primarily uni-directional, and we can see the most\nbenefit when VF is the iperf server and is receiving the test traffic.\nWatching output from sar also shows a nice decrease in CPU utilization.\n\n\nShannon Nelson (8):\n ixgbe: reload ipsec ip table after sa tables\n ixgbe: prep ipsec constants for later use\n ixgbe: add VF ipsec management\n ixgbe: add VF IPsec offload enable flag\n ixgbe: add VF IPsec offload request message handling\n ixgbevf: add defines for IPsec offload request\n ixgbevf: add VF ipsec offload code\n ixgbevf: enable VF ipsec offload operations\n\n drivers/net/ethernet/intel/ixgbe/ixgbe.h | 20 +-\n drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c | 9 +\n drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c | 275 ++++++++-\n drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.h | 13 +\n drivers/net/ethernet/intel/ixgbe/ixgbe_mbx.h | 5 +\n drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c | 17 +-\n drivers/net/ethernet/intel/ixgbevf/Makefile | 1 +\n drivers/net/ethernet/intel/ixgbevf/defines.h | 10 +-\n drivers/net/ethernet/intel/ixgbevf/ethtool.c | 2 +\n drivers/net/ethernet/intel/ixgbevf/ipsec.c | 673 ++++++++++++++++++++++\n drivers/net/ethernet/intel/ixgbevf/ipsec.h | 66 +++\n drivers/net/ethernet/intel/ixgbevf/ixgbevf.h | 33 ++\n drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c | 74 ++-\n drivers/net/ethernet/intel/ixgbevf/mbx.h | 5 +\n drivers/net/ethernet/intel/ixgbevf/vf.c | 4 +\n 15 files changed, 1163 insertions(+), 44 deletions(-)\n create mode 100644 drivers/net/ethernet/intel/ixgbevf/ipsec.c\n create mode 100644 drivers/net/ethernet/intel/ixgbevf/ipsec.h" }