[next-queue,3/8] ixgbe: add VF ipsec management

Message ID	1534185825-12451-4-git-send-email-shannon.nelson@oracle.com
State	Accepted
Delegated to:	Jeff Kirsher
Headers	show Return-Path: <intel-wired-lan-bounces@osuosl.org> From: Shannon Nelson <shannon.nelson@oracle.com> To: intel-wired-lan@lists.osuosl.org, jeffrey.t.kirsher@intel.com Date: Mon, 13 Aug 2018 11:43:40 -0700 Message-Id: <1534185825-12451-4-git-send-email-shannon.nelson@oracle.com> In-Reply-To: <1534185825-12451-1-git-send-email-shannon.nelson@oracle.com> References: <1534185825-12451-1-git-send-email-shannon.nelson@oracle.com> Subject: [Intel-wired-lan] [PATCH next-queue 3/8] ixgbe: add VF ipsec management Precedence: list Cc: steffen.klassert@secunet.com, netdev@vger.kernel.org MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: intel-wired-lan-bounces@osuosl.org Sender: "Intel-wired-lan" <intel-wired-lan-bounces@osuosl.org>
Series	ixgbe/ixgbevf: IPsec offload support for VFs \| expand [next-queue,0/8] ixgbe/ixgbevf: IPsec offload support for VFs [next-queue,1/8] ixgbe: reload ipsec ip table after sa tables [next-queue,2/8] ixgbe: prep ipsec constants for later use [next-queue,3/8] ixgbe: add VF ipsec management [next-queue,4/8] ixgbe: add VF IPsec offload enable flag [next-queue,5/8] ixgbe: add VF IPsec offload request message handling [next-queue,6/8] ixgbevf: add defines for IPsec offload request [next-queue,7/8] ixgbevf: add VF ipsec offload code [next-queue,8/8] ixgbevf: enable VF ipsec offload operations

Message ID

1534185825-12451-4-git-send-email-shannon.nelson@oracle.com

State

Accepted

Delegated to:

Jeff Kirsher

Headers

From: Shannon Nelson <shannon.nelson@oracle.com>
To: intel-wired-lan@lists.osuosl.org, jeffrey.t.kirsher@intel.com
Date: Mon, 13 Aug 2018 11:43:40 -0700
Message-Id: <1534185825-12451-4-git-send-email-shannon.nelson@oracle.com>
In-Reply-To: <1534185825-12451-1-git-send-email-shannon.nelson@oracle.com>
References: <1534185825-12451-1-git-send-email-shannon.nelson@oracle.com>
Subject: [Intel-wired-lan] [PATCH next-queue 3/8] ixgbe: add VF ipsec
	management
Precedence: list
Cc: steffen.klassert@secunet.com, netdev@vger.kernel.org
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: intel-wired-lan-bounces@osuosl.org
Sender: "Intel-wired-lan" <intel-wired-lan-bounces@osuosl.org>

Series

ixgbe/ixgbevf: IPsec offload support for VFs | expand

Commit Message

Shannon Nelson Aug. 13, 2018, 6:43 p.m. UTC

Add functions to translate VF IPsec offload add and delete requests
into something the existing code can work with.

Signed-off-by: Shannon Nelson <shannon.nelson@oracle.com>
---
 drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c | 256 ++++++++++++++++++++++++-
 drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.h |  13 ++
 2 files changed, 260 insertions(+), 9 deletions(-)

Comments

kernel test robot Aug. 14, 2018, 5:31 a.m. UTC | #1

Hi Shannon,

Thank you for the patch! Yet something to improve:

[auto build test ERROR on jkirsher-next-queue/dev-queue]
[also build test ERROR on v4.18 next-20180813]
[if your patch is applied to the wrong git tree, please drop us a note to help improve the system]

url:    https://github.com/0day-ci/linux/commits/Shannon-Nelson/ixgbe-ixgbevf-IPsec-offload-support-for-VFs/20180814-074800
base:   https://git.kernel.org/pub/scm/linux/kernel/git/jkirsher/next-queue.git dev-queue
config: x86_64-randconfig-v0-08131550 (attached as .config)
compiler: gcc-7 (Debian 7.3.0-16) 7.3.0
reproduce:
        # save the attached .config to linux build tree
        make ARCH=x86_64 

All errors (new ones prefixed by >>):

   drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.o: In function `ixgbe_ipsec_vf_add_sa':
>> drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c:917: undefined reference to `xfrm_aead_get_byname'
   make[1]: *** [vmlinux] Error 1
   make[1]: Target '_all' not remade because of errors.

vim +917 drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c

   862	
   863	/**
   864	 * ixgbe_ipsec_vf_add_sa - translate VF request to SA add
   865	 * @adapter: board private structure
   866	 * @msgbuf: The message buffer
   867	 * @vf: the VF index
   868	 *
   869	 * Make up a new xs and algorithm info from the data sent by the VF.
   870	 * We only need to sketch in just enough to set up the HW offload.
   871	 * Put the resulting offload_handle into the return message to the VF.
   872	 *
   873	 * Returns 0 or error value
   874	 **/
   875	int ixgbe_ipsec_vf_add_sa(struct ixgbe_adapter *adapter, u32 *msgbuf, u32 vf)
   876	{
   877		struct ixgbe_ipsec *ipsec = adapter->ipsec;
   878		struct xfrm_algo_desc *algo;
   879		struct sa_mbx_msg *sam;
   880		struct xfrm_state *xs;
   881		size_t aead_len;
   882		u16 sa_idx;
   883		u32 pfsa;
   884		int err;
   885	
   886		sam = (struct sa_mbx_msg *)(&msgbuf[1]);
   887		if (!adapter->vfinfo[vf].trusted) {
   888			e_warn(drv, "VF %d attempted to add an IPsec SA\n", vf);
   889			err = -EACCES;
   890			goto err_out;
   891		}
   892	
   893		/* Tx IPsec offload doesn't seem to work on this
   894		 * device, so block these requests for now.
   895		 */
   896		if (!(sam->flags & XFRM_OFFLOAD_INBOUND)) {
   897			err = -ENXIO;
   898			goto err_out;
   899		}
   900	
   901		xs = kzalloc(sizeof(*xs), GFP_KERNEL);
   902		if (unlikely(!xs)) {
   903			err = -ENOMEM;
   904			goto err_out;
   905		}
   906	
   907		xs->xso.flags = sam->flags;
   908		xs->id.spi = sam->spi;
   909		xs->id.proto = sam->proto;
   910		xs->props.family = sam->family;
   911		if (xs->props.family == AF_INET6)
   912			memcpy(&xs->id.daddr.a6, sam->addr, sizeof(xs->id.daddr.a6));
   913		else
   914			memcpy(&xs->id.daddr.a4, sam->addr, sizeof(xs->id.daddr.a4));
   915		xs->xso.dev = adapter->netdev;
   916	
 > 917		algo = xfrm_aead_get_byname(aes_gcm_name, IXGBE_IPSEC_AUTH_BITS, 1);
   918		if (unlikely(!algo)) {
   919			err = -ENOENT;
   920			goto err_xs;
   921		}
   922	
   923		aead_len = sizeof(*xs->aead) + IXGBE_IPSEC_KEY_BITS / 8;
   924		xs->aead = kzalloc(aead_len, GFP_KERNEL);
   925		if (unlikely(!xs->aead)) {
   926			err = -ENOMEM;
   927			goto err_xs;
   928		}
   929	
   930		xs->props.ealgo = algo->desc.sadb_alg_id;
   931		xs->geniv = algo->uinfo.aead.geniv;
   932		xs->aead->alg_icv_len = IXGBE_IPSEC_AUTH_BITS;
   933		xs->aead->alg_key_len = IXGBE_IPSEC_KEY_BITS;
   934		memcpy(xs->aead->alg_key, sam->key, sizeof(sam->key));
   935		memcpy(xs->aead->alg_name, aes_gcm_name, sizeof(aes_gcm_name));
   936	
   937		/* set up the HW offload */
   938		err = ixgbe_ipsec_add_sa(xs);
   939		if (err)
   940			goto err_aead;
   941	
   942		pfsa = xs->xso.offload_handle;
   943		if (pfsa < IXGBE_IPSEC_BASE_TX_INDEX) {
   944			sa_idx = pfsa - IXGBE_IPSEC_BASE_RX_INDEX;
   945			ipsec->rx_tbl[sa_idx].vf = vf;
   946			ipsec->rx_tbl[sa_idx].mode |= IXGBE_RXTXMOD_VF;
   947		} else {
   948			sa_idx = pfsa - IXGBE_IPSEC_BASE_TX_INDEX;
   949			ipsec->tx_tbl[sa_idx].vf = vf;
   950			ipsec->tx_tbl[sa_idx].mode |= IXGBE_RXTXMOD_VF;
   951		}
   952	
   953		msgbuf[1] = xs->xso.offload_handle;
   954	
   955		return 0;
   956	
   957	err_aead:
   958		memset(xs->aead, 0, sizeof(*xs->aead));
   959		kfree(xs->aead);
   960	err_xs:
   961		memset(xs, 0, sizeof(*xs));
   962		kfree(xs);
   963	err_out:
   964		msgbuf[1] = err;
   965		return err;
   966	}
   967	

---
0-DAY kernel test infrastructure                Open Source Technology Center
https://lists.01.org/pipermail/kbuild-all                   Intel Corporation

Shannon Nelson Aug. 14, 2018, 6:55 p.m. UTC | #2

On 8/13/2018 10:31 PM, kbuild test robot wrote:
> Hi Shannon,
> 
> Thank you for the patch! Yet something to improve:
> 
> [auto build test ERROR on jkirsher-next-queue/dev-queue]
> [also build test ERROR on v4.18 next-20180813]
> [if your patch is applied to the wrong git tree, please drop us a note to help improve the system]
> 
> url:    https://github.com/0day-ci/linux/commits/Shannon-Nelson/ixgbe-ixgbevf-IPsec-offload-support-for-VFs/20180814-074800
> base:   https://git.kernel.org/pub/scm/linux/kernel/git/jkirsher/next-queue.git dev-queue
> config: x86_64-randconfig-v0-08131550 (attached as .config)
> compiler: gcc-7 (Debian 7.3.0-16) 7.3.0
> reproduce:
>          # save the attached .config to linux build tree
>          make ARCH=x86_64
> 
> All errors (new ones prefixed by >>):
> 
>     drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.o: In function `ixgbe_ipsec_vf_add_sa':
>>> drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c:917: undefined reference to `xfrm_aead_get_byname'
>     make[1]: *** [vmlinux] Error 1
>     make[1]: Target '_all' not remade because of errors.
> 

Huh, odd.  I'm not able to reproduce this error using your config file 
in a net-next tree of vintage v4.18-rc8 or in Jeff's dev-queue branch. 
It looks like I'm using an older compiler (4.8.5) but that shouldn't 
make a difference here.

sln

Bowers, AndrewX Aug. 16, 2018, 9:07 p.m. UTC | #3

> -----Original Message-----
> From: Intel-wired-lan [mailto:intel-wired-lan-bounces@osuosl.org] On
> Behalf Of Shannon Nelson
> Sent: Monday, August 13, 2018 11:44 AM
> To: intel-wired-lan@lists.osuosl.org; Kirsher, Jeffrey T
> <jeffrey.t.kirsher@intel.com>
> Cc: steffen.klassert@secunet.com; netdev@vger.kernel.org
> Subject: [Intel-wired-lan] [PATCH next-queue 3/8] ixgbe: add VF ipsec
> management
> 
> Add functions to translate VF IPsec offload add and delete requests into
> something the existing code can work with.
> 
> Signed-off-by: Shannon Nelson <shannon.nelson@oracle.com>
> ---
>  drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c | 256
> ++++++++++++++++++++++++-
> drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.h |  13 ++
>  2 files changed, 260 insertions(+), 9 deletions(-)

Tested-by: Andrew Bowers <andrewx.bowers@intel.com>

diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c
index 3afb1fe..80108e1 100644
--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c
+++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c
@@ -8,6 +8,8 @@ 
 #define IXGBE_IPSEC_KEY_BITS  160
 static const char aes_gcm_name[] = "rfc4106(gcm(aes))";
 
+static void ixgbe_ipsec_del_sa(struct xfrm_state *xs);
+
 /**
  * ixgbe_ipsec_set_tx_sa - set the Tx SA registers
  * @hw: hw specific details
@@ -289,6 +291,13 @@  static void ixgbe_ipsec_start_engine(struct ixgbe_adapter *adapter)
 /**
  * ixgbe_ipsec_restore - restore the ipsec HW settings after a reset
  * @adapter: board private structure
+ *
+ * Reload the HW tables from the SW tables after they've been bashed
+ * by a chip reset.
+ *
+ * Any VF entries are removed from the SW and HW tables since either
+ * (a) the VF also gets reset on PF reset and will ask again for the
+ * offloads, or (b) the VF has been removed by a change in the num_vfs.
  **/
 void ixgbe_ipsec_restore(struct ixgbe_adapter *adapter)
 {
@@ -306,16 +315,24 @@  void ixgbe_ipsec_restore(struct ixgbe_adapter *adapter)
 
 	/* reload the Rx and Tx keys */
 	for (i = 0; i < IXGBE_IPSEC_MAX_SA_COUNT; i++) {
-		struct rx_sa *rsa = &ipsec->rx_tbl[i];
-		struct tx_sa *tsa = &ipsec->tx_tbl[i];
-
-		if (rsa->used)
-			ixgbe_ipsec_set_rx_sa(hw, i, rsa->xs->id.spi,
-					      rsa->key, rsa->salt,
-					      rsa->mode, rsa->iptbl_ind);
+		struct rx_sa *r = &ipsec->rx_tbl[i];
+		struct tx_sa *t = &ipsec->tx_tbl[i];
+
+		if (r->used) {
+			if (r->mode & IXGBE_RXTXMOD_VF)
+				ixgbe_ipsec_del_sa(r->xs);
+			else
+				ixgbe_ipsec_set_rx_sa(hw, i, r->xs->id.spi,
+						      r->key, r->salt,
+						      r->mode, r->iptbl_ind);
+		}
 
-		if (tsa->used)
-			ixgbe_ipsec_set_tx_sa(hw, i, tsa->key, tsa->salt);
+		if (t->used) {
+			if (t->mode & IXGBE_RXTXMOD_VF)
+				ixgbe_ipsec_del_sa(t->xs);
+			else
+				ixgbe_ipsec_set_tx_sa(hw, i, t->key, t->salt);
+		}
 	}
 
 	/* reload the IP addrs */
@@ -381,6 +398,8 @@  static struct xfrm_state *ixgbe_ipsec_find_rx_state(struct ixgbe_ipsec *ipsec,
 	rcu_read_lock();
 	hash_for_each_possible_rcu(ipsec->rx_sa_list, rsa, hlist,
 				   (__force u32)spi) {
+		if (rsa->mode & IXGBE_RXTXMOD_VF)
+			continue;
 		if (spi == rsa->xs->id.spi &&
 		    ((ip4 && *daddr == rsa->xs->id.daddr.a4) ||
 		      (!ip4 && !memcmp(daddr, &rsa->xs->id.daddr.a6,
@@ -809,6 +828,225 @@  static const struct xfrmdev_ops ixgbe_xfrmdev_ops = {
 };
 
 /**
+ * ixgbe_ipsec_vf_clear - clear the tables of data for a VF
+ * @adapter: board private structure
+ * @vf: VF id to be removed
+ **/
+void ixgbe_ipsec_vf_clear(struct ixgbe_adapter *adapter, u32 vf)
+{
+	struct ixgbe_ipsec *ipsec = adapter->ipsec;
+	int i;
+
+	/* search rx sa table */
+	for (i = 0; i < IXGBE_IPSEC_MAX_SA_COUNT && ipsec->num_rx_sa; i++) {
+		if (!ipsec->rx_tbl[i].used)
+			continue;
+		if (ipsec->rx_tbl[i].mode & IXGBE_RXTXMOD_VF &&
+		    ipsec->rx_tbl[i].vf == vf)
+			ixgbe_ipsec_del_sa(ipsec->rx_tbl[i].xs);
+	}
+
+	/* search tx sa table */
+	for (i = 0; i < IXGBE_IPSEC_MAX_SA_COUNT && ipsec->num_tx_sa; i++) {
+		if (!ipsec->tx_tbl[i].used)
+			continue;
+		if (ipsec->tx_tbl[i].mode & IXGBE_RXTXMOD_VF &&
+		    ipsec->tx_tbl[i].vf == vf)
+			ixgbe_ipsec_del_sa(ipsec->tx_tbl[i].xs);
+	}
+}
+
+/**
+ * ixgbe_ipsec_vf_add_sa - translate VF request to SA add
+ * @adapter: board private structure
+ * @msgbuf: The message buffer
+ * @vf: the VF index
+ *
+ * Make up a new xs and algorithm info from the data sent by the VF.
+ * We only need to sketch in just enough to set up the HW offload.
+ * Put the resulting offload_handle into the return message to the VF.
+ *
+ * Returns 0 or error value
+ **/
+int ixgbe_ipsec_vf_add_sa(struct ixgbe_adapter *adapter, u32 *msgbuf, u32 vf)
+{
+	struct ixgbe_ipsec *ipsec = adapter->ipsec;
+	struct xfrm_algo_desc *algo;
+	struct sa_mbx_msg *sam;
+	struct xfrm_state *xs;
+	size_t aead_len;
+	u16 sa_idx;
+	u32 pfsa;
+	int err;
+
+	sam = (struct sa_mbx_msg *)(&msgbuf[1]);
+	if (!adapter->vfinfo[vf].trusted) {
+		e_warn(drv, "VF %d attempted to add an IPsec SA\n", vf);
+		err = -EACCES;
+		goto err_out;
+	}
+
+	/* Tx IPsec offload doesn't seem to work on this
+	 * device, so block these requests for now.
+	 */
+	if (!(sam->flags & XFRM_OFFLOAD_INBOUND)) {
+		err = -ENXIO;
+		goto err_out;
+	}
+
+	xs = kzalloc(sizeof(*xs), GFP_KERNEL);
+	if (unlikely(!xs)) {
+		err = -ENOMEM;
+		goto err_out;
+	}
+
+	xs->xso.flags = sam->flags;
+	xs->id.spi = sam->spi;
+	xs->id.proto = sam->proto;
+	xs->props.family = sam->family;
+	if (xs->props.family == AF_INET6)
+		memcpy(&xs->id.daddr.a6, sam->addr, sizeof(xs->id.daddr.a6));
+	else
+		memcpy(&xs->id.daddr.a4, sam->addr, sizeof(xs->id.daddr.a4));
+	xs->xso.dev = adapter->netdev;
+
+	algo = xfrm_aead_get_byname(aes_gcm_name, IXGBE_IPSEC_AUTH_BITS, 1);
+	if (unlikely(!algo)) {
+		err = -ENOENT;
+		goto err_xs;
+	}
+
+	aead_len = sizeof(*xs->aead) + IXGBE_IPSEC_KEY_BITS / 8;
+	xs->aead = kzalloc(aead_len, GFP_KERNEL);
+	if (unlikely(!xs->aead)) {
+		err = -ENOMEM;
+		goto err_xs;
+	}
+
+	xs->props.ealgo = algo->desc.sadb_alg_id;
+	xs->geniv = algo->uinfo.aead.geniv;
+	xs->aead->alg_icv_len = IXGBE_IPSEC_AUTH_BITS;
+	xs->aead->alg_key_len = IXGBE_IPSEC_KEY_BITS;
+	memcpy(xs->aead->alg_key, sam->key, sizeof(sam->key));
+	memcpy(xs->aead->alg_name, aes_gcm_name, sizeof(aes_gcm_name));
+
+	/* set up the HW offload */
+	err = ixgbe_ipsec_add_sa(xs);
+	if (err)
+		goto err_aead;
+
+	pfsa = xs->xso.offload_handle;
+	if (pfsa < IXGBE_IPSEC_BASE_TX_INDEX) {
+		sa_idx = pfsa - IXGBE_IPSEC_BASE_RX_INDEX;
+		ipsec->rx_tbl[sa_idx].vf = vf;
+		ipsec->rx_tbl[sa_idx].mode |= IXGBE_RXTXMOD_VF;
+	} else {
+		sa_idx = pfsa - IXGBE_IPSEC_BASE_TX_INDEX;
+		ipsec->tx_tbl[sa_idx].vf = vf;
+		ipsec->tx_tbl[sa_idx].mode |= IXGBE_RXTXMOD_VF;
+	}
+
+	msgbuf[1] = xs->xso.offload_handle;
+
+	return 0;
+
+err_aead:
+	memset(xs->aead, 0, sizeof(*xs->aead));
+	kfree(xs->aead);
+err_xs:
+	memset(xs, 0, sizeof(*xs));
+	kfree(xs);
+err_out:
+	msgbuf[1] = err;
+	return err;
+}
+
+/**
+ * ixgbe_ipsec_vf_del_sa - translate VF request to SA delete
+ * @adapter: board private structure
+ * @msgbuf: The message buffer
+ * @vf: the VF index
+ *
+ * Given the offload_handle sent by the VF, look for the related SA table
+ * entry and use its xs field to call for a delete of the SA.
+ *
+ * Note: We silently ignore requests to delete entries that are already
+ *       set to unused because when a VF is set to "DOWN", the PF first
+ *       gets a reset and clears all the VF's entries; then the VF's
+ *       XFRM stack sends individual deletes for each entry, which the
+ *       reset already removed.  In the future it might be good to try to
+ *       optimize this so not so many unnecessary delete messages are sent.
+ *
+ * Returns 0 or error value
+ **/
+int ixgbe_ipsec_vf_del_sa(struct ixgbe_adapter *adapter, u32 *msgbuf, u32 vf)
+{
+	struct ixgbe_ipsec *ipsec = adapter->ipsec;
+	struct xfrm_state *xs;
+	u32 pfsa = msgbuf[1];
+	u16 sa_idx;
+
+	if (!adapter->vfinfo[vf].trusted) {
+		e_err(drv, "vf %d attempted to delete an SA\n", vf);
+		return -EPERM;
+	}
+
+	if (pfsa < IXGBE_IPSEC_BASE_TX_INDEX) {
+		struct rx_sa *rsa;
+
+		sa_idx = pfsa - IXGBE_IPSEC_BASE_RX_INDEX;
+		if (sa_idx >= IXGBE_IPSEC_MAX_SA_COUNT) {
+			e_err(drv, "vf %d SA index %d out of range\n",
+			      vf, sa_idx);
+			return -EINVAL;
+		}
+
+		rsa = &ipsec->rx_tbl[sa_idx];
+
+		if (!rsa->used)
+			return 0;
+
+		if (!(rsa->mode & IXGBE_RXTXMOD_VF) ||
+		    rsa->vf != vf) {
+			e_err(drv, "vf %d bad Rx SA index %d\n", vf, sa_idx);
+			return -ENOENT;
+		}
+
+		xs = ipsec->rx_tbl[sa_idx].xs;
+	} else {
+		struct tx_sa *tsa;
+
+		sa_idx = pfsa - IXGBE_IPSEC_BASE_TX_INDEX;
+		if (sa_idx >= IXGBE_IPSEC_MAX_SA_COUNT) {
+			e_err(drv, "vf %d SA index %d out of range\n",
+			      vf, sa_idx);
+			return -EINVAL;
+		}
+
+		tsa = &ipsec->tx_tbl[sa_idx];
+
+		if (!tsa->used)
+			return 0;
+
+		if (!(tsa->mode & IXGBE_RXTXMOD_VF) ||
+		    tsa->vf != vf) {
+			e_err(drv, "vf %d bad Tx SA index %d\n", vf, sa_idx);
+			return -ENOENT;
+		}
+
+		xs = ipsec->tx_tbl[sa_idx].xs;
+	}
+
+	ixgbe_ipsec_del_sa(xs);
+
+	/* remove the xs that was made-up in the add request */
+	memset(xs, 0, sizeof(*xs));
+	kfree(xs);
+
+	return 0;
+}
+
+/**
  * ixgbe_ipsec_tx - setup Tx flags for ipsec offload
  * @tx_ring: outgoing context
  * @first: current data packet
diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.h b/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.h
index 9ef7faa..d2b64ff 100644
--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.h
+++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.h
@@ -26,6 +26,7 @@  enum ixgbe_ipsec_tbl_sel {
 #define IXGBE_RXMOD_PROTO_ESP		0x00000004
 #define IXGBE_RXMOD_DECRYPT		0x00000008
 #define IXGBE_RXMOD_IPV6		0x00000010
+#define IXGBE_RXTXMOD_VF		0x00000020
 
 struct rx_sa {
 	struct hlist_node hlist;
@@ -37,6 +38,7 @@  struct rx_sa {
 	u8  iptbl_ind;
 	bool used;
 	bool decrypt;
+	u32 vf;
 };
 
 struct rx_ip_sa {
@@ -49,8 +51,10 @@  struct tx_sa {
 	struct xfrm_state *xs;
 	u32 key[4];
 	u32 salt;
+	u32 mode;
 	bool encrypt;
 	bool used;
+	u32 vf;
 };
 
 struct ixgbe_ipsec_tx_data {
@@ -67,4 +71,13 @@  struct ixgbe_ipsec {
 	struct tx_sa *tx_tbl;
 	DECLARE_HASHTABLE(rx_sa_list, 10);
 };
+
+struct sa_mbx_msg {
+	__be32 spi;
+	u8 flags;
+	u8 proto;
+	u16 family;
+	__be32 addr[4];
+	u32 key[5];
+};
 #endif /* _IXGBE_IPSEC_H_ */

[next-queue,3/8] ixgbe: add VF ipsec management

Commit Message

Comments

Patch