diff mbox series

[net-next] octeontx2-pf: mcs: Offload extended packet number(XPN) feature

Message ID 1683730283-9353-1-git-send-email-sbhatta@marvell.com (mailing list archive)
State Superseded
Delegated to: Netdev Maintainers
Headers show
Series [net-next] octeontx2-pf: mcs: Offload extended packet number(XPN) feature | expand

Checks

Context Check Description
netdev/series_format success Single patches do not need cover letters
netdev/tree_selection success Clearly marked for net-next
netdev/fixes_present success Fixes tag not required for -next series
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 8 this patch: 8
netdev/cc_maintainers success CCed 9 of 9 maintainers
netdev/build_clang success Errors and warnings before: 8 this patch: 8
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/deprecated_api success None detected
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success No Fixes tag
netdev/build_allmodconfig_warn fail Errors and warnings before: 22 this patch: 24
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 237 lines checked
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0

Commit Message

Subbaraya Sundeep May 10, 2023, 2:51 p.m. UTC 
The macsec hardware block supports XPN cipher suites also.
Hence added changes to offload XPN feature. Changes include
configuring SecY policy to XPN cipher suite, Salt and SSCI values.
64 bit packet number is passed instead of 32 bit packet number.

Signed-off-by: Subbaraya Sundeep <sbhatta@marvell.com>
Signed-off-by: Sunil Kovvuri Goutham <sgoutham@marvell.com>
---
 .../ethernet/marvell/octeontx2/nic/cn10k_macsec.c  | 89 +++++++++++++++++-----
 .../ethernet/marvell/octeontx2/nic/otx2_common.h   |  5 ++
 2 files changed, 75 insertions(+), 19 deletions(-)

Comments

Simon Horman May 10, 2023, 6:12 p.m. UTC | #1 
On Wed, May 10, 2023 at 08:21:23PM +0530, Subbaraya Sundeep wrote:
> The macsec hardware block supports XPN cipher suites also.
> Hence added changes to offload XPN feature. Changes include
> configuring SecY policy to XPN cipher suite, Salt and SSCI values.
> 64 bit packet number is passed instead of 32 bit packet number.
> 
> Signed-off-by: Subbaraya Sundeep <sbhatta@marvell.com>
> Signed-off-by: Sunil Kovvuri Goutham <sgoutham@marvell.com>

...

> @@ -349,6 +366,15 @@ static int cn10k_mcs_write_rx_sa_plcy(struct otx2_nic *pfvf,
>  		reg++;
>  	}
>  
> +	if (secy->xpn) {
> +		memcpy((u8 *)&salt_63_0, salt_p, 8);
> +		memcpy((u8 *)&ssci_salt_95_64, salt_p + 8, 4);
> +		ssci_salt_95_64 |= (u64)rxsc->ssci[assoc_num] << 32;

Hi Subbaraya,

Sparse says:

drivers/net/ethernet/marvell/octeontx2/nic/cn10k_macsec.c:372:37: warning: cast from restricted ssci_t
drivers/net/ethernet/marvell/octeontx2/nic/cn10k_macsec.c:611:37: warning: cast from restricted ssci_t

I think if you really need a u64 here then you need (__force u64).
But of course at that point any help types and annotations give
you have been thrown out the window.

> +
> +		plcy_req->plcy[0][6] = salt_63_0;
> +		plcy_req->plcy[0][7] = ssci_salt_95_64;
> +	}
> +
>  	plcy_req->sa_index[0] = rxsc->hw_sa_id[assoc_num];
>  	plcy_req->sa_cnt = 1;
>  	plcy_req->dir = MCS_RX;

...

> @@ -561,6 +605,15 @@ static int cn10k_mcs_write_tx_sa_plcy(struct otx2_nic *pfvf,
>  		reg++;
>  	}
>  
> +	if (secy->xpn) {
> +		memcpy((u8 *)&salt_63_0, salt_p, 8);
> +		memcpy((u8 *)&ssci_salt_95_64, salt_p + 8, 4);
> +		ssci_salt_95_64 |= (u64)txsc->ssci[assoc_num] << 32;
> +
> +		plcy_req->plcy[0][6] = salt_63_0;
> +		plcy_req->plcy[0][7] = ssci_salt_95_64;
> +	}
> +
>  	plcy_req->plcy[0][8] = assoc_num;
>  	plcy_req->sa_index[0] = txsc->hw_sa_id[assoc_num];
>  	plcy_req->sa_cnt = 1;

...
Subbaraya Sundeep May 11, 2023, 5:42 a.m. UTC | #2 
Hi Simon,

>-----Original Message-----
>From: Simon Horman <simon.horman@corigine.com>
>Sent: Wednesday, May 10, 2023 11:43 PM
>To: Subbaraya Sundeep Bhatta <sbhatta@marvell.com>
>Cc: netdev@vger.kernel.org; davem@davemloft.net; edumazet@google.com;
>kuba@kernel.org; pabeni@redhat.com; Geethasowjanya Akula
><gakula@marvell.com>; Naveen Mamindlapalli <naveenm@marvell.com>;
>Hariprasad Kelam <hkelam@marvell.com>; Linu Cherian
><lcherian@marvell.com>; Sunil Kovvuri Goutham <sgoutham@marvell.com>
>Subject: Re: [net-next PATCH] octeontx2-pf: mcs: Offload extended packet
>number(XPN) feature
>
>On Wed, May 10, 2023 at 08:21:23PM +0530, Subbaraya Sundeep wrote:
>> The macsec hardware block supports XPN cipher suites also.
>> Hence added changes to offload XPN feature. Changes include
>> configuring SecY policy to XPN cipher suite, Salt and SSCI values.
>> 64 bit packet number is passed instead of 32 bit packet number.
>>
>> Signed-off-by: Subbaraya Sundeep <sbhatta@marvell.com>
>> Signed-off-by: Sunil Kovvuri Goutham <sgoutham@marvell.com>
>
>...
>
>> @@ -349,6 +366,15 @@ static int cn10k_mcs_write_rx_sa_plcy(struct otx2_nic
>*pfvf,
>>  		reg++;
>>  	}
>>
>> +	if (secy->xpn) {
>> +		memcpy((u8 *)&salt_63_0, salt_p, 8);
>> +		memcpy((u8 *)&ssci_salt_95_64, salt_p + 8, 4);
>> +		ssci_salt_95_64 |= (u64)rxsc->ssci[assoc_num] << 32;
>
>Hi Subbaraya,
>
>Sparse says:
>
>drivers/net/ethernet/marvell/octeontx2/nic/cn10k_macsec.c:372:37: warning:
>cast from restricted ssci_t
>drivers/net/ethernet/marvell/octeontx2/nic/cn10k_macsec.c:611:37: warning:
>cast from restricted ssci_t
>
>I think if you really need a u64 here then you need (__force u64).
>But of course at that point any help types and annotations give you have been
>thrown out the window.
>
Yeah __force is required. I overlooked the warnings from sparse. I will submit v2.

Thanks,
Sundeep

>> +
>> +		plcy_req->plcy[0][6] = salt_63_0;
>> +		plcy_req->plcy[0][7] = ssci_salt_95_64;
>> +	}
>> +
>>  	plcy_req->sa_index[0] = rxsc->hw_sa_id[assoc_num];
>>  	plcy_req->sa_cnt = 1;
>>  	plcy_req->dir = MCS_RX;
>
>...
>
>> @@ -561,6 +605,15 @@ static int cn10k_mcs_write_tx_sa_plcy(struct otx2_nic
>*pfvf,
>>  		reg++;
>>  	}
>>
>> +	if (secy->xpn) {
>> +		memcpy((u8 *)&salt_63_0, salt_p, 8);
>> +		memcpy((u8 *)&ssci_salt_95_64, salt_p + 8, 4);
>> +		ssci_salt_95_64 |= (u64)txsc->ssci[assoc_num] << 32;
>> +
>> +		plcy_req->plcy[0][6] = salt_63_0;
>> +		plcy_req->plcy[0][7] = ssci_salt_95_64;
>> +	}
>> +
>>  	plcy_req->plcy[0][8] = assoc_num;
>>  	plcy_req->sa_index[0] = txsc->hw_sa_id[assoc_num];
>>  	plcy_req->sa_cnt = 1;
>
>...
diff mbox series

Patch

diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/cn10k_macsec.c b/drivers/net/ethernet/marvell/octeontx2/nic/cn10k_macsec.c
index aea4c80..37420f9 100644
--- a/drivers/net/ethernet/marvell/octeontx2/nic/cn10k_macsec.c
+++ b/drivers/net/ethernet/marvell/octeontx2/nic/cn10k_macsec.c
@@ -6,7 +6,6 @@ 
 
 #include <linux/rtnetlink.h>
 #include <linux/bitfield.h>
-#include <net/macsec.h>
 #include "otx2_common.h"
 
 #define MCS_TCAM0_MAC_DA_MASK		GENMASK_ULL(47, 0)
@@ -212,6 +211,7 @@  static int cn10k_mcs_write_rx_secy(struct otx2_nic *pfvf,
 	struct mcs_secy_plcy_write_req *req;
 	struct mbox *mbox = &pfvf->mbox;
 	u64 policy;
+	u8 cipher;
 	int ret;
 
 	mutex_lock(&mbox->lock);
@@ -227,7 +227,21 @@  static int cn10k_mcs_write_rx_secy(struct otx2_nic *pfvf,
 		policy |= MCS_RX_SECY_PLCY_RP;
 
 	policy |= MCS_RX_SECY_PLCY_AUTH_ENA;
-	policy |= FIELD_PREP(MCS_RX_SECY_PLCY_CIP, MCS_GCM_AES_128);
+
+	switch (secy->key_len) {
+	case 16:
+		cipher = secy->xpn ? MCS_GCM_AES_XPN_128 : MCS_GCM_AES_128;
+		break;
+	case 32:
+		cipher = secy->xpn ? MCS_GCM_AES_XPN_256 : MCS_GCM_AES_256;
+		break;
+	default:
+		cipher = MCS_GCM_AES_128;
+		dev_warn(pfvf->dev, "Unsupported key length\n");
+		break;
+	};
+
+	policy |= FIELD_PREP(MCS_RX_SECY_PLCY_CIP, cipher);
 	policy |= FIELD_PREP(MCS_RX_SECY_PLCY_VAL, secy->validate_frames);
 
 	policy |= MCS_RX_SECY_PLCY_ENA;
@@ -323,9 +337,12 @@  static int cn10k_mcs_write_rx_sa_plcy(struct otx2_nic *pfvf,
 {
 	unsigned char *src = rxsc->sa_key[assoc_num];
 	struct mcs_sa_plcy_write_req *plcy_req;
+	u8 *salt_p = rxsc->salt[assoc_num];
 	struct mcs_rx_sc_sa_map *map_req;
 	struct mbox *mbox = &pfvf->mbox;
+	u64 ssci_salt_95_64 = 0;
 	u8 reg, key_len;
+	u64 salt_63_0;
 	int ret;
 
 	mutex_lock(&mbox->lock);
@@ -349,6 +366,15 @@  static int cn10k_mcs_write_rx_sa_plcy(struct otx2_nic *pfvf,
 		reg++;
 	}
 
+	if (secy->xpn) {
+		memcpy((u8 *)&salt_63_0, salt_p, 8);
+		memcpy((u8 *)&ssci_salt_95_64, salt_p + 8, 4);
+		ssci_salt_95_64 |= (u64)rxsc->ssci[assoc_num] << 32;
+
+		plcy_req->plcy[0][6] = salt_63_0;
+		plcy_req->plcy[0][7] = ssci_salt_95_64;
+	}
+
 	plcy_req->sa_index[0] = rxsc->hw_sa_id[assoc_num];
 	plcy_req->sa_cnt = 1;
 	plcy_req->dir = MCS_RX;
@@ -404,6 +430,7 @@  static int cn10k_mcs_write_tx_secy(struct otx2_nic *pfvf,
 	u8 tag_offset = 12;
 	u8 sectag_tci = 0;
 	u64 policy;
+	u8 cipher;
 	int ret;
 
 	sw_tx_sc = &secy->tx_sc;
@@ -434,7 +461,21 @@  static int cn10k_mcs_write_tx_secy(struct otx2_nic *pfvf,
 	policy |= FIELD_PREP(MCS_TX_SECY_PLCY_ST_OFFSET, tag_offset);
 	policy |= MCS_TX_SECY_PLCY_INS_MODE;
 	policy |= MCS_TX_SECY_PLCY_AUTH_ENA;
-	policy |= FIELD_PREP(MCS_TX_SECY_PLCY_CIP, MCS_GCM_AES_128);
+
+	switch (secy->key_len) {
+	case 16:
+		cipher = secy->xpn ? MCS_GCM_AES_XPN_128 : MCS_GCM_AES_128;
+		break;
+	case 32:
+		cipher = secy->xpn ? MCS_GCM_AES_XPN_256 : MCS_GCM_AES_256;
+		break;
+	default:
+		cipher = MCS_GCM_AES_128;
+		dev_warn(pfvf->dev, "Unsupported key length\n");
+		break;
+	};
+
+	policy |= FIELD_PREP(MCS_TX_SECY_PLCY_CIP, cipher);
 
 	if (secy->protect_frames)
 		policy |= MCS_TX_SECY_PLCY_PROTECT;
@@ -544,8 +585,11 @@  static int cn10k_mcs_write_tx_sa_plcy(struct otx2_nic *pfvf,
 {
 	unsigned char *src = txsc->sa_key[assoc_num];
 	struct mcs_sa_plcy_write_req *plcy_req;
+	u8 *salt_p = txsc->salt[assoc_num];
 	struct mbox *mbox = &pfvf->mbox;
+	u64 ssci_salt_95_64 = 0;
 	u8 reg, key_len;
+	u64 salt_63_0;
 	int ret;
 
 	mutex_lock(&mbox->lock);
@@ -561,6 +605,15 @@  static int cn10k_mcs_write_tx_sa_plcy(struct otx2_nic *pfvf,
 		reg++;
 	}
 
+	if (secy->xpn) {
+		memcpy((u8 *)&salt_63_0, salt_p, 8);
+		memcpy((u8 *)&ssci_salt_95_64, salt_p + 8, 4);
+		ssci_salt_95_64 |= (u64)txsc->ssci[assoc_num] << 32;
+
+		plcy_req->plcy[0][6] = salt_63_0;
+		plcy_req->plcy[0][7] = ssci_salt_95_64;
+	}
+
 	plcy_req->plcy[0][8] = assoc_num;
 	plcy_req->sa_index[0] = txsc->hw_sa_id[assoc_num];
 	plcy_req->sa_cnt = 1;
@@ -922,8 +975,7 @@  static int cn10k_mcs_secy_tx_cfg(struct otx2_nic *pfvf, struct macsec_secy *secy
 {
 	if (sw_tx_sa) {
 		cn10k_mcs_write_tx_sa_plcy(pfvf, secy, txsc, sa_num);
-		cn10k_write_tx_sa_pn(pfvf, txsc, sa_num,
-				     sw_tx_sa->next_pn_halves.lower);
+		cn10k_write_tx_sa_pn(pfvf, txsc, sa_num, sw_tx_sa->next_pn);
 		cn10k_mcs_link_tx_sa2sc(pfvf, secy, txsc, sa_num,
 					sw_tx_sa->active);
 	}
@@ -959,7 +1011,7 @@  static int cn10k_mcs_secy_rx_cfg(struct otx2_nic *pfvf,
 			cn10k_mcs_write_rx_sa_plcy(pfvf, secy, mcs_rx_sc,
 						   sa_num, sw_rx_sa->active);
 			cn10k_mcs_write_rx_sa_pn(pfvf, mcs_rx_sc, sa_num,
-						 sw_rx_sa->next_pn_halves.lower);
+						 sw_rx_sa->next_pn);
 		}
 
 		cn10k_mcs_write_rx_flowid(pfvf, mcs_rx_sc, hw_secy_id);
@@ -1103,13 +1155,6 @@  static int cn10k_mdo_add_secy(struct macsec_context *ctx)
 	if (secy->icv_len != MACSEC_DEFAULT_ICV_LEN)
 		return -EOPNOTSUPP;
 
-	/* Stick to 16 bytes key len until XPN support is added */
-	if (secy->key_len != 16)
-		return -EOPNOTSUPP;
-
-	if (secy->xpn)
-		return -EOPNOTSUPP;
-
 	txsc = cn10k_mcs_create_txsc(pfvf);
 	if (IS_ERR(txsc))
 		return -ENOSPC;
@@ -1202,6 +1247,9 @@  static int cn10k_mdo_add_txsa(struct macsec_context *ctx)
 		return -ENOSPC;
 
 	memcpy(&txsc->sa_key[sa_num], ctx->sa.key, secy->key_len);
+	memcpy(&txsc->salt[sa_num], sw_tx_sa->key.salt.bytes, MACSEC_SALT_LEN);
+	txsc->ssci[sa_num] = sw_tx_sa->ssci;
+
 	txsc->sa_bmap |= 1 << sa_num;
 
 	if (netif_running(secy->netdev)) {
@@ -1210,7 +1258,7 @@  static int cn10k_mdo_add_txsa(struct macsec_context *ctx)
 			return err;
 
 		err = cn10k_write_tx_sa_pn(pfvf, txsc, sa_num,
-					   sw_tx_sa->next_pn_halves.lower);
+					   sw_tx_sa->next_pn);
 		if (err)
 			return err;
 
@@ -1243,7 +1291,7 @@  static int cn10k_mdo_upd_txsa(struct macsec_context *ctx)
 	if (netif_running(secy->netdev)) {
 		/* Keys cannot be changed after creation */
 		err = cn10k_write_tx_sa_pn(pfvf, txsc, sa_num,
-					   sw_tx_sa->next_pn_halves.lower);
+					   sw_tx_sa->next_pn);
 		if (err)
 			return err;
 
@@ -1353,7 +1401,6 @@  static int cn10k_mdo_add_rxsa(struct macsec_context *ctx)
 	struct macsec_rx_sc *sw_rx_sc = ctx->sa.rx_sa->sc;
 	struct cn10k_mcs_cfg *cfg = pfvf->macsec_cfg;
 	struct macsec_rx_sa *rx_sa = ctx->sa.rx_sa;
-	u64 next_pn = rx_sa->next_pn_halves.lower;
 	struct macsec_secy *secy = ctx->secy;
 	bool sa_in_use = rx_sa->active;
 	u8 sa_num = ctx->sa.assoc_num;
@@ -1371,6 +1418,9 @@  static int cn10k_mdo_add_rxsa(struct macsec_context *ctx)
 		return -ENOSPC;
 
 	memcpy(&rxsc->sa_key[sa_num], ctx->sa.key, ctx->secy->key_len);
+	memcpy(&rxsc->salt[sa_num], rx_sa->key.salt.bytes, MACSEC_SALT_LEN);
+	rxsc->ssci[sa_num] = rx_sa->ssci;
+
 	rxsc->sa_bmap |= 1 << sa_num;
 
 	if (netif_running(secy->netdev)) {
@@ -1379,7 +1429,8 @@  static int cn10k_mdo_add_rxsa(struct macsec_context *ctx)
 		if (err)
 			return err;
 
-		err = cn10k_mcs_write_rx_sa_pn(pfvf, rxsc, sa_num, next_pn);
+		err = cn10k_mcs_write_rx_sa_pn(pfvf, rxsc, sa_num,
+					       rx_sa->next_pn);
 		if (err)
 			return err;
 	}
@@ -1393,7 +1444,6 @@  static int cn10k_mdo_upd_rxsa(struct macsec_context *ctx)
 	struct macsec_rx_sc *sw_rx_sc = ctx->sa.rx_sa->sc;
 	struct cn10k_mcs_cfg *cfg = pfvf->macsec_cfg;
 	struct macsec_rx_sa *rx_sa = ctx->sa.rx_sa;
-	u64 next_pn = rx_sa->next_pn_halves.lower;
 	struct macsec_secy *secy = ctx->secy;
 	bool sa_in_use = rx_sa->active;
 	u8 sa_num = ctx->sa.assoc_num;
@@ -1412,7 +1462,8 @@  static int cn10k_mdo_upd_rxsa(struct macsec_context *ctx)
 		if (err)
 			return err;
 
-		err = cn10k_mcs_write_rx_sa_pn(pfvf, rxsc, sa_num, next_pn);
+		err = cn10k_mcs_write_rx_sa_pn(pfvf, rxsc, sa_num,
+					       rx_sa->next_pn);
 		if (err)
 			return err;
 	}
diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.h b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.h
index 0c8fc66..d17274a 100644
--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.h
+++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.h
@@ -15,6 +15,7 @@ 
 #include <linux/ptp_clock_kernel.h>
 #include <linux/timecounter.h>
 #include <linux/soc/marvell/octeontx2/asm.h>
+#include <net/macsec.h>
 #include <net/pkt_cls.h>
 #include <net/devlink.h>
 #include <linux/time64.h>
@@ -398,6 +399,8 @@  struct cn10k_mcs_txsc {
 	u8 sa_bmap;
 	u8 sa_key[CN10K_MCS_SA_PER_SC][MACSEC_MAX_KEY_LEN];
 	u8 encoding_sa;
+	u8 salt[CN10K_MCS_SA_PER_SC][MACSEC_SALT_LEN];
+	ssci_t ssci[CN10K_MCS_SA_PER_SC];
 };
 
 struct cn10k_mcs_rxsc {
@@ -410,6 +413,8 @@  struct cn10k_mcs_rxsc {
 	u16 hw_sa_id[CN10K_MCS_SA_PER_SC];
 	u8 sa_bmap;
 	u8 sa_key[CN10K_MCS_SA_PER_SC][MACSEC_MAX_KEY_LEN];
+	u8 salt[CN10K_MCS_SA_PER_SC][MACSEC_SALT_LEN];
+	ssci_t ssci[CN10K_MCS_SA_PER_SC];
 };
 
 struct cn10k_mcs_cfg {