From patchwork Tue Apr 23 18:13:04 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Rahul Rameshbabu X-Patchwork-Id: 13640531 X-Patchwork-Delegate: kuba@kernel.org Received: from NAM10-DM6-obe.outbound.protection.outlook.com (mail-dm6nam10on2058.outbound.protection.outlook.com [40.107.93.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0A52413E41A; Tue, 23 Apr 2024 18:13:36 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=40.107.93.58 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713896017; cv=fail; b=PDeKwTxm53VD8AEZWoSXBeorhqqG1qC5Bl5mPnljOd6+YcfJPQEXxHRTCgl17UpBatWzdEYwG5T/qK0Phd9n7+4rbatMtyUXG/zGyorv+SGezfLQbcdkQerKAS7RpLJ11ybFhFxPLLy+EVXUGtXxcRozXo1WL0O625Gh7oStz+A= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713896017; c=relaxed/simple; bh=ZSRDmpw+11K0lshwUvrp+IrNu5Ba0+vnhIYdjw+Llno=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: Content-Type:MIME-Version; b=cKKTxD6SUvqXZcQunLPLUNe8FPXwAmxY6mYr50bEsE4v4PliYBsj8kZGp9AdmTfHw/NmE9EuIljq06rls0jxG1keCq98XsdKqh+cApEBwslbaX+u63Ls7SSTV9dEY1kwOXDtBp56AvdfJqbICT/UBB1rg2LMM6VuaabPrg9VABY= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=nvidia.com; spf=fail smtp.mailfrom=nvidia.com; dkim=pass (2048-bit key) header.d=Nvidia.com header.i=@Nvidia.com header.b=TsvzfDtj; arc=fail smtp.client-ip=40.107.93.58 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=nvidia.com Authentication-Results: smtp.subspace.kernel.org; spf=fail smtp.mailfrom=nvidia.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=Nvidia.com header.i=@Nvidia.com header.b="TsvzfDtj" ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Fko1QbdlF51hn1V1ymk+cedDY0EgPPVzvdF1FfRP7WSzN6+y6+c6i9LsksGoPHKrZOuRlege5tFy5wP2GF4gB/FgxHLFjaLBmFAvoGwu0vPCP4J4r7f7mW4HTz7DvVQrZZhaxRhai0snirwOD1N1oK+PQKZKgij9ri0mWv9QowNuxZEQB4G7zXewtxVZ/bbxq3nPUOUf3ijo6/ErCkEQCTChzXPtIaWoBpCBl/uvp7+6pw4jBT4i8ZOna47p7coBcH11p622R4mvYJdTH+IYWmKqQZfy2NZhptlKK9pXVMVua44ip/q396/Osv57gY1xmLsI2z2kdyHdsnZfUsObdA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=XVrGf85eSBj90MtLP/dwbEl7uBxndrW0yabcQrZUF9E=; b=GSK/TQBgFYEfGWybsX4C9VlgzaTojyrLyqbjggabjKY+cVUUyQaoLWnXG1hF91JGZ2D7u+PdAiH39+1K9CuPapIoT+TzDXVt07cA7zziqtB3wsb6wIJVAJ8qozJey4dnLvER6+Skhbasi4+TcYj/NRmNYAg43SOhhJHm8Puq+2QR3E3urZ4gKSzPJGaQot1lda0UEIUs7vdbnxNJxNKdho7WbXI90OooLl4tZFgA38XdwOe26DHa5bQD7EiUT+qso9Q+budod5ITq7jyLSgAb4ruJdBihBBCS6OG/OEx1wDyfHv7RqExkOutUye1mZOLALD7Lt7OejXAEmk6oxaYZA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nvidia.com; dmarc=pass action=none header.from=nvidia.com; dkim=pass header.d=nvidia.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=XVrGf85eSBj90MtLP/dwbEl7uBxndrW0yabcQrZUF9E=; b=TsvzfDtjpzO/qtR8lGfZAJ6ckuuMG0DAd/lxaO0uf2zlyRl+sLJn8kbwU0khbb2Dpil3EAHmVh0G5ERRxRsNtQIR/bVKcHB9RsAs1CULRdV2f+AAQcmxZ5aehVMCuWs8ssqAGbFZmXjGQXygzTSbVreeSRhYTT8m6+dBr2lYEmlMhCotrR2njIaqm+IPvHcfDQV/xxqrOOVVcCZcezSXnX763vSA0It0mZaGpGpcS7H6Zkjx+1R20i8OvGRBhgwYoo/Z79g0V+7UUU4+wcg/O/SoeJBOWCP5sWqs1wadxwL6u5A10aF0yfjgwef52qdn+n4QYCFBemp3BDxmSy8VEw== Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=nvidia.com; Received: from BYAPR12MB2743.namprd12.prod.outlook.com (2603:10b6:a03:61::28) by SA1PR12MB6799.namprd12.prod.outlook.com (2603:10b6:806:25b::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7472.44; Tue, 23 Apr 2024 18:13:26 +0000 Received: from BYAPR12MB2743.namprd12.prod.outlook.com ([fe80::3ec0:1215:f4ed:9535]) by BYAPR12MB2743.namprd12.prod.outlook.com ([fe80::3ec0:1215:f4ed:9535%4]) with mapi id 15.20.7472.044; Tue, 23 Apr 2024 18:13:26 +0000 From: Rahul Rameshbabu To: netdev@vger.kernel.org, stable@vger.kernel.org Cc: Jakub Kicinski , Eric Dumazet , "David S. Miller" , Paolo Abeni , Gal Pressman , Tariq Toukan , Sabrina Dubroca , Yossi Kuperman , Benjamin Poirier , Cosmin Ratiu , Rahul Rameshbabu Subject: [PATCH net v3 3/4] macsec: Detect if Rx skb is macsec-related for offloading devices that update md_dst Date: Tue, 23 Apr 2024 11:13:04 -0700 Message-ID: <20240423181319.115860-4-rrameshbabu@nvidia.com> X-Mailer: git-send-email 2.42.0 In-Reply-To: <20240423181319.115860-1-rrameshbabu@nvidia.com> References: <20240423181319.115860-1-rrameshbabu@nvidia.com> X-ClientProxiedBy: BY3PR04CA0006.namprd04.prod.outlook.com (2603:10b6:a03:217::11) To BYAPR12MB2743.namprd12.prod.outlook.com (2603:10b6:a03:61::28) Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: BYAPR12MB2743:EE_|SA1PR12MB6799:EE_ X-MS-Office365-Filtering-Correlation-Id: de06bd56-25d8-499c-f302-08dc63c1121a X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: J90vi20e/NumQcRDEfomzpZwnyRAfip/G0TdkmxW+LPt/4M5ePuuo2stOyV15r0T36T6RfMEGfqB8NxrTzXHmyIK+ozmt1dN4bCfTi2oxF5/P0zzu25IQBwCQsUzdM8JLOB7/OhYjUgxZ4dSjmZldA+drYCTqVjYTzFsltVCae/kqnpgzUOqnwvqbeAbDRp9i3UQ4+0HEzfJLUMLVaWuuEBUV49ZZsxD9MBBzq9DFcLRfL8JH2BGvw4qL1lDGI8q8tn3rxilyz62zcyqfX59tTeShCbiJR4iMHXYNHue+/tvYdGkzjvNgO3R1o4fIdcOTGtVvZ8CJBryhKirr7K5ycrDgu/6bNTHrOB8/wgy6ZbAhrZmXKyr6qr/JRMmZWgw6CuGyLbZKgPMr4GFkF9rK/JDxzByvHn2msp9acd14XpgNrZzTXSL61H0QEi0u65T3FY5GZrv5t0ZbGapczpYVY25SvcPQbzy5SPeTMptiJONi7C7qMGqY2W8pm+6XnJ52aOUn71+I6luf2mnyrLWCjtKA/1nS8GBkCYyjp55ByiDcpOOsbcj9alWy8pN7FZ4hJh0HhYHzxfimsROFE2exhGjHd7070yUbKF36zDeToBFuUUsn6ccQ13k80jLShYyEkeOF7K4L1ts32nXZNtwMPGyGuFF0eOILNu0yq+h5mdUWXeZxyvd8RSTdOmAcRSpNcO4wTop0qg0FAQJ8v6OZpiyrBCUggCTIpE/snyrgk/twrH8Tzp2Xj0zBFnNfL1nKkx9WUZccW9mkj1jyAUsDZfMunC1Kg+qB5cWSSo9i68jcxXpJNTe6kqXXWsB9II+kCBAMuKK+LfwJbhlvXHBdgn6274GELSvbDS5qs6kpb1mnf2v1ufP53DO12GqXOFeTWFVHU+SilLXhesGnkHiTBKi2iQI1fjl3DZ1eNkhq9YSxIDsDIYUwL9Q47hUxmCel95P/K9aRIAbX9Jr4jir/J7VE58rhi+YKuyAmPIkK+KoXqxM1zdf8zpq/FVMSc8gN+IGTnRv145fdaoxTSCBGI1/VnxZRymy3sGfoWJ+5lZjMiS8mLrYs2QzZuUBWImtG4xtsFkJzC9/eesR/2jCDk8CbqVQTyRR6Yt0LucqUDHbS5k7SwwQ7vdaLYOw9aR4vpjiHyiI7Gpiab8NyBLdaZgaxdHOLuP+r0vYSlB/c2bAd7q0F6Mp89Y1nVY/TN9FdK+A7Dt+29zs8VYW1jUgIzO+fHuEPuCklF/ASUe7hoaxUOtKsCeoGJSqWzno7qbA9hm+c+YBOYiianZZFN7VnA== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:BYAPR12MB2743.namprd12.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230031)(1800799015)(376005)(366007);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: P1o1lBEm4TukQluWr/FN7iy1kag3m3C5diqV0PxciE6azfFTvxqo6vFTYzyd9/RiB3y41mvMowBtgLJmVnbZftdgTmVs5hOzbCXM+cgNip76jDon4zecZ+UWYGR/bxZVTLbSeDahkgq3Vj3iDBdU6eBib56XjFCv3QwqG9PBwbhTqAFc5BDBt3QPgG5D7JE8aER0dUMhE91vZ8PpRB9Q47mBxWm3xQ0ZNTWYTR4a/2XdC0KEoqLUrfW3Zuv/XHHvY6DB1aaM/8S1wWoLSAE/QVNSywo5dh2VfMh6MSYAz1ljnkvSVGHa2aes5XFA8FXe02fpB1y47u+E3YQaypeR/zUgl49MbVl0Ovd/yl1cKtAur0E+IaOmsFCH7izE0aiW8hM7Zyk9dzP3km3L+JHWedvWaFLCGgfVahN62t+Cmp0fESksYX6BxcncXyMr4GoO6kB+7r5TsoQJw/IlNtAAbh04YO8dIFKrHH//sIGphcQ6FUwf2NXkCYcbq8S6uFaux1Q3CpA/kQOdtFWY9XG9pU7v+jEovef+tllrvB7f6Fo6QKurCXD16kdNpXgHIElejsACjCze2BKRcLkcE79YAd4CNWf4RDKP6uqW3PhKnQ9MaplOIDlg4msuiaap9JjrjlZIUlg6xQgsQk3fK3WmmB7pWhF2gnH9rlDWEySSWSRWOiKr3+UCnXVaNor77FB0o37Tl70wTdUPnTYTlKGsHx71n0N3ocMCDMybeGlB31lt9nBmrnFMqmMSAHRQh8UnOUPgafV43ZXMC9wlTT0MiZH1rPvgcmPwkad4mfVspijkRBNEWCxdUIlBc9OT7hV80odcYAVeld0yvyRfOQgqrwyZnEWApGpr/ZTGSIxDH6BUSBi50qn56tBPHqMXRTCN4Ggst+PQVEjEaYckvcR9wpXnsBQT2NOFlL9lIYlZCP+XyhlwkuK9dbaMiKYqaAlaOETdrveI2JocANxpBPQi6pPssng7Rh83JtIgxSTJhO+j6vcmzriwRWEMFdpfxousd1RpoppykheaUauuHvoRdOtzovcCaHxvpli3yNdIt34K1rdss13yfkbkdfqQU/C2g7cVFJjUeC8QPhG1pHtg0xqrtEWojEqX+84RrjFqRcX+A0WD1YBbJxOnYZg3WVahEgUArmI/t7e6FAfZJHP7f7f9aI/i1iJUrNOZsxnG+vX904LTluZaQOO5r86brkVcTPwbTKCYayI9hamybvYsaxJiLpDWpFGU6BR+cpEWsGS348nyTm/rX+KOjhJbfcdjOUY8TXOByaQixDS/f2JlQ4t53+DZ+5pccvDzbMTfE/pt4nAfEiHCUrhdyN07vIg8Vp/MsHqwPxg6/nHp9RFeTYoAWOhL5QIP9DYeMnUA62RIsSc6Yqql1gQo976KY30GccTDjoR0cECdSFs86POZo0zC5J79JHVgEZjFWNSkeKFGdDY2yShwuWVOmDfT7nnjB52BOIKRA845Sy062EzMywvvyIWukF69vZ8JjUVXjHFibmjcDdcqaKAfvLFbzSODLLggxtcdu3xnsoEQCch2sXAPTWXtoRLvsnd8qQpuBEhlFLEZcbzMZ/8V+XU2uxFy6E/uCzc8dUgf1MwhQikUPQ== X-OriginatorOrg: Nvidia.com X-MS-Exchange-CrossTenant-Network-Message-Id: de06bd56-25d8-499c-f302-08dc63c1121a X-MS-Exchange-CrossTenant-AuthSource: BYAPR12MB2743.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 23 Apr 2024 18:13:26.4461 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: GGWrGg+5CeO71vkMC3NqO+bKfNieIuPRcAEyY75HHbBQpyzqj0hezSpG5rotd1gz5hn/D7VfLNe+MH60CQfZ9g== X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA1PR12MB6799 X-Patchwork-Delegate: kuba@kernel.org Can now correctly identify where the packets should be delivered by using md_dst or its absence on devices that provide it. This detection is not possible without device drivers that update md_dst. A fallback pattern should be used for supporting such device drivers. This fallback mode causes multicast messages to be cloned to both the non-macsec and macsec ports, independent of whether the multicast message received was encrypted over MACsec or not. Other non-macsec traffic may also fail to be handled correctly for devices in promiscuous mode. Link: https://lore.kernel.org/netdev/ZULRxX9eIbFiVi7v@hog/ Cc: Sabrina Dubroca Cc: stable@vger.kernel.org Fixes: 860ead89b851 ("net/macsec: Add MACsec skb_metadata_dst Rx Data path support") Signed-off-by: Rahul Rameshbabu Reviewed-by: Benjamin Poirier Reviewed-by: Cosmin Ratiu --- drivers/net/macsec.c | 46 ++++++++++++++++++++++++++++++++++---------- 1 file changed, 36 insertions(+), 10 deletions(-) diff --git a/drivers/net/macsec.c b/drivers/net/macsec.c index 0206b84284ab..ff016c11b4a0 100644 --- a/drivers/net/macsec.c +++ b/drivers/net/macsec.c @@ -999,10 +999,12 @@ static enum rx_handler_result handle_not_macsec(struct sk_buff *skb) struct metadata_dst *md_dst; struct macsec_rxh_data *rxd; struct macsec_dev *macsec; + bool is_macsec_md_dst; rcu_read_lock(); rxd = macsec_data_rcu(skb->dev); md_dst = skb_metadata_dst(skb); + is_macsec_md_dst = md_dst && md_dst->type == METADATA_MACSEC; list_for_each_entry_rcu(macsec, &rxd->secys, secys) { struct sk_buff *nskb; @@ -1013,14 +1015,42 @@ static enum rx_handler_result handle_not_macsec(struct sk_buff *skb) * the SecTAG, so we have to deduce which port to deliver to. */ if (macsec_is_offloaded(macsec) && netif_running(ndev)) { - struct macsec_rx_sc *rx_sc = NULL; + const struct macsec_ops *ops; - if (md_dst && md_dst->type == METADATA_MACSEC) - rx_sc = find_rx_sc(&macsec->secy, md_dst->u.macsec_info.sci); + ops = macsec_get_ops(macsec, NULL); - if (md_dst && md_dst->type == METADATA_MACSEC && !rx_sc) + if (ops->rx_uses_md_dst && !is_macsec_md_dst) continue; + if (is_macsec_md_dst) { + struct macsec_rx_sc *rx_sc; + + /* All drivers that implement MACsec offload + * support using skb metadata destinations must + * indicate that they do so. + */ + DEBUG_NET_WARN_ON_ONCE(!ops->rx_uses_md_dst); + rx_sc = find_rx_sc(&macsec->secy, + md_dst->u.macsec_info.sci); + if (!rx_sc) + continue; + /* device indicated macsec offload occurred */ + skb->dev = ndev; + skb->pkt_type = PACKET_HOST; + eth_skb_pkt_type(skb, ndev); + ret = RX_HANDLER_ANOTHER; + goto out; + } + + /* This datapath is insecure because it is unable to + * enforce isolation of broadcast/multicast traffic and + * unicast traffic with promiscuous mode on the macsec + * netdev. Since the core stack has no mechanism to + * check that the hardware did indeed receive MACsec + * traffic, it is possible that the response handling + * done by the MACsec port was to a plaintext packet. + * This violates the MACsec protocol standard. + */ if (ether_addr_equal_64bits(hdr->h_dest, ndev->dev_addr)) { /* exact match, divert skb to this port */ @@ -1036,14 +1066,10 @@ static enum rx_handler_result handle_not_macsec(struct sk_buff *skb) break; nskb->dev = ndev; - if (ether_addr_equal_64bits(hdr->h_dest, - ndev->broadcast)) - nskb->pkt_type = PACKET_BROADCAST; - else - nskb->pkt_type = PACKET_MULTICAST; + eth_skb_pkt_type(nskb, ndev); __netif_rx(nskb); - } else if (rx_sc || ndev->flags & IFF_PROMISC) { + } else if (ndev->flags & IFF_PROMISC) { skb->dev = ndev; skb->pkt_type = PACKET_HOST; ret = RX_HANDLER_ANOTHER;