Commit 72863e08 authored by Jakub Kicinski's avatar Jakub Kicinski

Merge branch 'add-support-to-offload-macsec-using-netlink-update'

Emeel Hakim says:

====================
Add support to offload macsec using netlink update

This series adds support for offloading macsec as part of the netlink
update routine, command example:

  $ ip link set link eth2 macsec0 type macsec offload mac

The above is done using the IFLA_MACSEC_OFFLOAD attribute hence
the second patch of dumping this attribute as part of the macsec
dump.
====================

Link: https://lore.kernel.org/r/20230111150210.8246-1-ehakim@nvidia.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
parents 5bee990f 723e8a48
...@@ -2583,16 +2583,56 @@ static bool macsec_is_configured(struct macsec_dev *macsec) ...@@ -2583,16 +2583,56 @@ static bool macsec_is_configured(struct macsec_dev *macsec)
return false; return false;
} }
static int macsec_update_offload(struct net_device *dev, enum macsec_offload offload)
{
enum macsec_offload prev_offload;
const struct macsec_ops *ops;
struct macsec_context ctx;
struct macsec_dev *macsec;
int ret = 0;
macsec = macsec_priv(dev);
/* Check if the offloading mode is supported by the underlying layers */
if (offload != MACSEC_OFFLOAD_OFF &&
!macsec_check_offload(offload, macsec))
return -EOPNOTSUPP;
/* Check if the net device is busy. */
if (netif_running(dev))
return -EBUSY;
/* Check if the device already has rules configured: we do not support
* rules migration.
*/
if (macsec_is_configured(macsec))
return -EBUSY;
prev_offload = macsec->offload;
ops = __macsec_get_ops(offload == MACSEC_OFFLOAD_OFF ? prev_offload : offload,
macsec, &ctx);
if (!ops)
return -EOPNOTSUPP;
macsec->offload = offload;
ctx.secy = &macsec->secy;
ret = offload == MACSEC_OFFLOAD_OFF ? macsec_offload(ops->mdo_del_secy, &ctx)
: macsec_offload(ops->mdo_add_secy, &ctx);
if (ret)
macsec->offload = prev_offload;
return ret;
}
static int macsec_upd_offload(struct sk_buff *skb, struct genl_info *info) static int macsec_upd_offload(struct sk_buff *skb, struct genl_info *info)
{ {
struct nlattr *tb_offload[MACSEC_OFFLOAD_ATTR_MAX + 1]; struct nlattr *tb_offload[MACSEC_OFFLOAD_ATTR_MAX + 1];
enum macsec_offload offload, prev_offload;
int (*func)(struct macsec_context *ctx);
struct nlattr **attrs = info->attrs; struct nlattr **attrs = info->attrs;
struct net_device *dev; enum macsec_offload offload;
const struct macsec_ops *ops;
struct macsec_context ctx;
struct macsec_dev *macsec; struct macsec_dev *macsec;
struct net_device *dev;
int ret = 0; int ret = 0;
if (!attrs[MACSEC_ATTR_IFINDEX]) if (!attrs[MACSEC_ATTR_IFINDEX])
...@@ -2621,55 +2661,9 @@ static int macsec_upd_offload(struct sk_buff *skb, struct genl_info *info) ...@@ -2621,55 +2661,9 @@ static int macsec_upd_offload(struct sk_buff *skb, struct genl_info *info)
} }
offload = nla_get_u8(tb_offload[MACSEC_OFFLOAD_ATTR_TYPE]); offload = nla_get_u8(tb_offload[MACSEC_OFFLOAD_ATTR_TYPE]);
if (macsec->offload == offload)
goto out;
/* Check if the offloading mode is supported by the underlying layers */
if (offload != MACSEC_OFFLOAD_OFF &&
!macsec_check_offload(offload, macsec)) {
ret = -EOPNOTSUPP;
goto out;
}
/* Check if the net device is busy. */
if (netif_running(dev)) {
ret = -EBUSY;
goto out;
}
prev_offload = macsec->offload;
macsec->offload = offload;
/* Check if the device already has rules configured: we do not support if (macsec->offload != offload)
* rules migration. ret = macsec_update_offload(dev, offload);
*/
if (macsec_is_configured(macsec)) {
ret = -EBUSY;
goto rollback;
}
ops = __macsec_get_ops(offload == MACSEC_OFFLOAD_OFF ? prev_offload : offload,
macsec, &ctx);
if (!ops) {
ret = -EOPNOTSUPP;
goto rollback;
}
if (prev_offload == MACSEC_OFFLOAD_OFF)
func = ops->mdo_add_secy;
else
func = ops->mdo_del_secy;
ctx.secy = &macsec->secy;
ret = macsec_offload(func, &ctx);
if (ret)
goto rollback;
rtnl_unlock();
return 0;
rollback:
macsec->offload = prev_offload;
out: out:
rtnl_unlock(); rtnl_unlock();
return ret; return ret;
...@@ -3817,6 +3811,8 @@ static int macsec_changelink(struct net_device *dev, struct nlattr *tb[], ...@@ -3817,6 +3811,8 @@ static int macsec_changelink(struct net_device *dev, struct nlattr *tb[],
struct netlink_ext_ack *extack) struct netlink_ext_ack *extack)
{ {
struct macsec_dev *macsec = macsec_priv(dev); struct macsec_dev *macsec = macsec_priv(dev);
bool macsec_offload_state_change = false;
enum macsec_offload offload;
struct macsec_tx_sc tx_sc; struct macsec_tx_sc tx_sc;
struct macsec_secy secy; struct macsec_secy secy;
int ret; int ret;
...@@ -3840,8 +3836,18 @@ static int macsec_changelink(struct net_device *dev, struct nlattr *tb[], ...@@ -3840,8 +3836,18 @@ static int macsec_changelink(struct net_device *dev, struct nlattr *tb[],
if (ret) if (ret)
goto cleanup; goto cleanup;
if (data[IFLA_MACSEC_OFFLOAD]) {
offload = nla_get_u8(data[IFLA_MACSEC_OFFLOAD]);
if (macsec->offload != offload) {
macsec_offload_state_change = true;
ret = macsec_update_offload(dev, offload);
if (ret)
goto cleanup;
}
}
/* If h/w offloading is available, propagate to the device */ /* If h/w offloading is available, propagate to the device */
if (macsec_is_offloaded(macsec)) { if (!macsec_offload_state_change && macsec_is_offloaded(macsec)) {
const struct macsec_ops *ops; const struct macsec_ops *ops;
struct macsec_context ctx; struct macsec_context ctx;
...@@ -4240,16 +4246,22 @@ static size_t macsec_get_size(const struct net_device *dev) ...@@ -4240,16 +4246,22 @@ static size_t macsec_get_size(const struct net_device *dev)
nla_total_size(1) + /* IFLA_MACSEC_SCB */ nla_total_size(1) + /* IFLA_MACSEC_SCB */
nla_total_size(1) + /* IFLA_MACSEC_REPLAY_PROTECT */ nla_total_size(1) + /* IFLA_MACSEC_REPLAY_PROTECT */
nla_total_size(1) + /* IFLA_MACSEC_VALIDATION */ nla_total_size(1) + /* IFLA_MACSEC_VALIDATION */
nla_total_size(1) + /* IFLA_MACSEC_OFFLOAD */
0; 0;
} }
static int macsec_fill_info(struct sk_buff *skb, static int macsec_fill_info(struct sk_buff *skb,
const struct net_device *dev) const struct net_device *dev)
{ {
struct macsec_secy *secy = &macsec_priv(dev)->secy; struct macsec_tx_sc *tx_sc;
struct macsec_tx_sc *tx_sc = &secy->tx_sc; struct macsec_dev *macsec;
struct macsec_secy *secy;
u64 csid; u64 csid;
macsec = macsec_priv(dev);
secy = &macsec->secy;
tx_sc = &secy->tx_sc;
switch (secy->key_len) { switch (secy->key_len) {
case MACSEC_GCM_AES_128_SAK_LEN: case MACSEC_GCM_AES_128_SAK_LEN:
csid = secy->xpn ? MACSEC_CIPHER_ID_GCM_AES_XPN_128 : MACSEC_DEFAULT_CIPHER_ID; csid = secy->xpn ? MACSEC_CIPHER_ID_GCM_AES_XPN_128 : MACSEC_DEFAULT_CIPHER_ID;
...@@ -4274,6 +4286,7 @@ static int macsec_fill_info(struct sk_buff *skb, ...@@ -4274,6 +4286,7 @@ static int macsec_fill_info(struct sk_buff *skb,
nla_put_u8(skb, IFLA_MACSEC_SCB, tx_sc->scb) || nla_put_u8(skb, IFLA_MACSEC_SCB, tx_sc->scb) ||
nla_put_u8(skb, IFLA_MACSEC_REPLAY_PROTECT, secy->replay_protect) || nla_put_u8(skb, IFLA_MACSEC_REPLAY_PROTECT, secy->replay_protect) ||
nla_put_u8(skb, IFLA_MACSEC_VALIDATION, secy->validate_frames) || nla_put_u8(skb, IFLA_MACSEC_VALIDATION, secy->validate_frames) ||
nla_put_u8(skb, IFLA_MACSEC_OFFLOAD, macsec->offload) ||
0) 0)
goto nla_put_failure; goto nla_put_failure;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment