diff mbox series

[2/2] selftests: rtnetlink: add ipsec packet offload test

Message ID 20241104233315.3387982-1-wangfe@google.com (mailing list archive)
State Superseded
Delegated to: Netdev Maintainers
Headers show
Series [1/2] xfrm: add SA information to the offloaded packet | expand

Checks

Context Check Description
netdev/series_format warning Single patches do not need cover letters; Target tree name not specified in the subject
netdev/tree_selection success Guessed tree name to be net-next
netdev/ynl success Generated files up to date; no warnings/errors; no diff in generated;
netdev/fixes_present success Fixes tag not required for -next series
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 3 this patch: 3
netdev/build_tools success Errors and warnings before: 2 (+0) this patch: 2 (+0)
netdev/cc_maintainers fail 6 maintainers not CCed: horms@kernel.org shuah@kernel.org edumazet@google.com pabeni@redhat.com linux-kselftest@vger.kernel.org kuba@kernel.org
netdev/build_clang success Errors and warnings before: 3 this patch: 3
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/deprecated_api success None detected
netdev/check_selftest success net selftest script(s) already in Makefile
netdev/verify_fixes success No Fixes tag
netdev/build_allmodconfig_warn success Errors and warnings before: 3 this patch: 3
netdev/checkpatch warning WARNING: line length of 81 exceeds 80 columns WARNING: line length of 82 exceeds 80 columns WARNING: line length of 84 exceeds 80 columns WARNING: line length of 87 exceeds 80 columns
netdev/build_clang_rust success No Rust files in patch. Skipping build
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0
netdev/contest fail net-next-2024-11-05--00-00 (tests: 777)

Commit Message

Feng Wang Nov. 4, 2024, 11:33 p.m. UTC 
From: wangfe <wangfe@google.com>

Duplicating kci_test_ipsec_offload to create a packet offload test.
Using the netdevsim as a device for testing ipsec packet mode.
Test the XFRM commands for setting up IPsec hardware packet offloads,
especially configuring the XFRM interface ID.

Signed-off-by: wangfe <wangfe@google.com>
---
 tools/testing/selftests/net/rtnetlink.sh | 124 +++++++++++++++++++++++
 1 file changed, 124 insertions(+)

Comments

Jakub Kicinski Nov. 5, 2024, 1:26 a.m. UTC | #1 
On Mon,  4 Nov 2024 15:33:15 -0800 Feng Wang wrote:
> From: wangfe <wangfe@google.com>
> 
> Duplicating kci_test_ipsec_offload to create a packet offload test.
> Using the netdevsim as a device for testing ipsec packet mode.
> Test the XFRM commands for setting up IPsec hardware packet offloads,
> especially configuring the XFRM interface ID.

CI appears to not be on board:

# 26.29 [+0.07] RTNETLINK answers: Operation not supported
# 26.36 [+0.07] FAIL: ipsec_packet_offload can't create SA

https://netdev-3.bots.linux.dev/vmksft-net/results/846081/25-rtnetlink-sh/stdout

Maybe you need to add more options to tools/testing/selftests/net/config

But stepping back - I think it may be time to move the crypto tunnel
tests based on netdevsim to
tools/testing/selftests/drivers/net/netdevsim ? rtnetlink is our main
netlink family, likely half of all our tests could be called a
"rtnetlink test".
Jakub Kicinski Nov. 5, 2024, 1:27 a.m. UTC | #2 
On Mon, 4 Nov 2024 17:26:12 -0800 Jakub Kicinski wrote:
> On Mon,  4 Nov 2024 15:33:15 -0800 Feng Wang wrote:
> > From: wangfe <wangfe@google.com>
> > 
> > Duplicating kci_test_ipsec_offload to create a packet offload test.
> > Using the netdevsim as a device for testing ipsec packet mode.
> > Test the XFRM commands for setting up IPsec hardware packet offloads,
> > especially configuring the XFRM interface ID.  
> 
> CI appears to not be on board:
> 
> # 26.29 [+0.07] RTNETLINK answers: Operation not supported
> # 26.36 [+0.07] FAIL: ipsec_packet_offload can't create SA
> 
> https://netdev-3.bots.linux.dev/vmksft-net/results/846081/25-rtnetlink-sh/stdout
> 
> Maybe you need to add more options to tools/testing/selftests/net/config
> 
> But stepping back - I think it may be time to move the crypto tunnel
> tests based on netdevsim to
> tools/testing/selftests/drivers/net/netdevsim ? rtnetlink is our main
> netlink family, likely half of all our tests could be called a
> "rtnetlink test".

PS. this wiki tells you how the CI builds the kernel, so it is useful
for making sure the config options are chosen correctly:
https://github.com/linux-netdev/nipa/wiki/How-to-run-netdev-selftests-CI-style
Feng Wang Nov. 12, 2024, 7:49 p.m. UTC | #3 
Hi Jakub,

Thanks for your information, I am able to reproduce the test
environment and run the test.  The main reason for failure is that
this patch relies on the previous
patch(https://lore.kernel.org/all/20241112192249.341515-1-wangfe@google.com/),
 and it is not checked in yet.
And there is another routing issue that I will fix too, and I will
upstream it again when the previous patch is checked in.

Thanks again for your help.

Feng
diff mbox series

Patch

diff --git a/tools/testing/selftests/net/rtnetlink.sh b/tools/testing/selftests/net/rtnetlink.sh
index bdf6f10d0558..4ce31625d593 100755
--- a/tools/testing/selftests/net/rtnetlink.sh
+++ b/tools/testing/selftests/net/rtnetlink.sh
@@ -24,6 +24,7 @@  ALL_TESTS="
 	kci_test_macsec_offload
 	kci_test_ipsec
 	kci_test_ipsec_offload
+	kci_test_ipsec_packet_offload
 	kci_test_fdb_get
 	kci_test_neigh_get
 	kci_test_bridge_parent_id
@@ -841,6 +842,129 @@  EOF
 	end_test "PASS: ipsec_offload"
 }
 
+#-------------------------------------------------------------------
+# Example commands
+#   ip x s add proto esp src 14.0.0.52 dst 14.0.0.70 \
+#            spi 0x07 mode tunnel reqid 0x07 replay-window 32 \
+#            aead 'rfc4106(gcm(aes))' 1234567890123456dcba 128 \
+#            sel src 14.0.0.52/24 dst 14.0.0.70/24
+#            offload packet dev ipsec1 dir out if_id 1
+#   ip x p add dir out src 14.0.0.52/24 dst 14.0.0.70/24 \
+#            tmpl proto esp src 14.0.0.52 dst 14.0.0.70 \
+#            spi 0x07 mode tunnel reqid 0x07 \
+#            offload packet dev ipsec1 if_id 1
+#
+#-------------------------------------------------------------------
+kci_test_ipsec_packet_offload()
+{
+	local ret=0
+	algo="aead rfc4106(gcm(aes)) 0x3132333435363738393031323334353664636261 128"
+	srcip=192.168.123.3
+	dstip=192.168.123.4
+	sysfsd=/sys/kernel/debug/netdevsim/netdevsim0/ports/0/
+	sysfsf=$sysfsd/ipsec
+	sysfsnet=/sys/bus/netdevsim/devices/netdevsim0/net/
+	probed=false
+
+	if ! mount | grep -q debugfs; then
+		mount -t debugfs none /sys/kernel/debug/ &> /dev/null
+	fi
+
+	# setup netdevsim since dummydev doesn't have offload support
+	if [ ! -w /sys/bus/netdevsim/new_device ] ; then
+		run_cmd modprobe -q netdevsim
+		if [ $ret -ne 0 ]; then
+			end_test "SKIP: ipsec_packet_offload can't load netdevsim"
+			return $ksft_skip
+		fi
+		probed=true
+	fi
+
+	echo "0" > /sys/bus/netdevsim/new_device
+	while [ ! -d $sysfsnet ] ; do :; done
+	udevadm settle
+	dev=`ls $sysfsnet`
+
+	ip addr add $netdevsimip dev $dev
+	ip link set $dev up
+	if [ ! -d $sysfsd ] ; then
+		end_test "FAIL: ipsec_packet_offload can't create device $dev"
+		return 1
+	fi
+	if [ ! -f $sysfsf ] ; then
+		end_test "FAIL: ipsec_packet_offload netdevsim doesn't support offload"
+		return 1
+	fi
+
+	# flush to be sure there's nothing configured
+	ip x s flush ; ip x p flush
+
+	# create offloaded out SA
+	run_cmd ip x p add offload packet dev $dev dir out src $srcip/24 \
+	    dst $dstip/24 tmpl proto esp src $srcip dst $dstip spi 9 \
+	    mode tunnel reqid 42 if_id $ipsec_if_id
+
+	run_cmd ip x s add proto esp src $srcip dst $dstip spi 9 \
+	    mode tunnel reqid 42 $algo sel src $srcip/24 dst $dstip/24 \
+	    offload packet dev $dev dir out if_id $ipsec_if_id
+
+	if [ $ret -ne 0 ]; then
+		end_test "FAIL: ipsec_packet_offload can't create SA"
+		return 1
+	fi
+
+	# does offload show up in ip output
+	lines=`ip x s list | grep -c "crypto offload parameters: dev $dev dir"`
+	if [ $lines -ne 1 ] ; then
+		check_err 1
+		end_test "FAIL: ipsec_packet_offload SA missing from list output"
+	fi
+
+	# setup xfrm interface
+	ip link add $ipsecdev type xfrm dev lo if_id $ipsec_if_id
+	ip link set $ipsecdev up
+	ip addr add $srcip/24 dev $ipsecdev
+
+	# we didn't create a peer, make sure we can Tx
+	ip neigh add $dstip dev $dev lladdr 00:11:22:33:44:55
+	# use ping to exercise the Tx path
+	ping -I $ipsecdev -c 3 -W 1 -i 0 $dstip >/dev/null
+
+	# remove xfrm interface
+	ip link delete $ipsecdev
+
+	# does driver have correct offload info
+	run_cmd diff $sysfsf - << EOF
+SA count=1 tx=3
+sa[0] tx ipaddr=0x00000000 00000000 00000000 00000000
+sa[0]    spi=0x00000009 proto=0x32 salt=0x61626364 crypt=1
+sa[0]    key=0x34333231 38373635 32313039 36353433
+EOF
+	if [ $? -ne 0 ] ; then
+		end_test "FAIL: ipsec_packet_offload incorrect driver data"
+		check_err 1
+	fi
+
+	# does offload get removed from driver
+	ip x s flush
+	ip x p flush
+	lines=`grep -c "SA count=0" $sysfsf`
+	if [ $lines -ne 1 ] ; then
+		check_err 1
+		end_test "FAIL: ipsec_packet_offload SA not removed from driver"
+	fi
+
+	# clean up any leftovers
+	echo 0 > /sys/bus/netdevsim/del_device
+	$probed && rmmod netdevsim
+
+	if [ $ret -ne 0 ]; then
+		end_test "FAIL: ipsec_packet_offload"
+		return 1
+	fi
+	end_test "PASS: ipsec_packet_offload"
+}
+
 kci_test_gretap()
 {
 	DEV_NS=gretap00