#
6fb7f940 |
|
04-Oct-2023 |
Leon Romanovsky <leon@kernel.org> |
net/mlx5e: Connect mlx5 IPsec statistics with XFRM core Fill integrity, replay and bad trailer counters. As an example, after simulating replay window attack with 5 packets: [leonro@c ~]$ grep XfrmInStateSeqError /proc/net/xfrm_stat XfrmInStateSeqError 5 [leonro@c ~]$ sudo ip -s x s <...> stats: replay-window 0 replay 5 failed 0 Signed-off-by: Leon Romanovsky <leonro@nvidia.com> Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
|
#
f9f221c9 |
|
04-Oct-2023 |
Leon Romanovsky <leon@kernel.org> |
xfrm: get global statistics from the offloaded device Iterate over all SAs in order to fill global IPsec statistics. Acked-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: Leon Romanovsky <leonro@nvidia.com> Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
|
#
fd2bc419 |
|
03-Oct-2023 |
Leon Romanovsky <leon@kernel.org> |
xfrm: generalize xdo_dev_state_update_curlft to allow statistics update In order to allow drivers to fill all statistics, change the name of xdo_dev_state_update_curlft to be xdo_dev_state_update_stats. Acked-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: Leon Romanovsky <leonro@nvidia.com> Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
|
#
315a597f |
|
26-Nov-2023 |
Leon Romanovsky <leon@kernel.org> |
net/mlx5e: Ignore IPsec replay window values on sender side XFRM stack doesn't prevent from users to configure replay window in TX side and strongswan sets replay_window to be 1. It causes to failures in validation logic when trying to offload the SA. Replay window is not relevant in TX side and should be ignored. Fixes: cded6d80129b ("net/mlx5e: Store replay window in XFRM attributes") Signed-off-by: Aya Levin <ayal@nvidia.com> Signed-off-by: Leon Romanovsky <leonro@nvidia.com> Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
|
#
762a55a5 |
|
30-Oct-2023 |
Chris Mi <cmi@nvidia.com> |
net/mlx5e: Disable IPsec offload support if not FW steering IPsec FDB offload can only work with FW steering as of now, disable the cap upon non FW steering. And since the IPSec cap is dynamic now based on steering mode. Cleanup the resources if they exist instead of checking the IPsec cap again. Fixes: edd8b295f9e2 ("Merge branch 'mlx5-ipsec-packet-offload-support-in-eswitch-mode'") Signed-off-by: Chris Mi <cmi@nvidia.com> Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
|
#
3d42c8cc |
|
20-Sep-2023 |
Leon Romanovsky <leon@kernel.org> |
net/mlx5e: Ensure that IPsec sequence packet number starts from 1 According to RFC4303, section "3.3.3. Sequence Number Generation", the first packet sent using a given SA will contain a sequence number of 1. However if user didn't set seq/oseq, the HW used zero as first sequence packet number. Such misconfiguration causes to drop of first packet if replay window protection was enabled in SA. To fix it, set sequence number to be at least 1. Fixes: 7db21ef4566e ("net/mlx5e: Set IPsec replay sequence numbers") Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
|
#
a5e400a9 |
|
20-Aug-2023 |
Leon Romanovsky <leon@kernel.org> |
net/mlx5e: Honor user choice of IPsec replay window size Users can configure IPsec replay window size, but mlx5 driver didn't honor their choice and set always 32bits. Fix assignment logic to configure right size from the beginning. Fixes: 7db21ef4566e ("net/mlx5e: Set IPsec replay sequence numbers") Reviewed-by: Patrisious Haddad <phaddad@nvidia.com> Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
|
#
627aa139 |
|
12-Oct-2023 |
Leon Romanovsky <leon@kernel.org> |
net/mlx5e: Allow IPsec soft/hard limits in bytes Actually the mlx5 code already has needed support to allow users to configure soft/hard limits in bytes. It is possible due to the situation with TX path, where CX7 devices are missing hardware implementation to send events to the software, see commit b2f7b01d36a9 ("net/mlx5e: Simulate missing IPsec TX limits hardware functionality"). That software workaround is not limited to TX and works for bytes too. So relax the validation logic to not block soft/hard limits in bytes. Reviewed-by: Patrisious Haddad <phaddad@nvidia.com> Signed-off-by: Leon Romanovsky <leonro@nvidia.com> Reviewed-by: Jacob Keller <jacob.e.keller@intel.com> Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
|
#
82f9378c |
|
21-Sep-2023 |
Patrisious Haddad <phaddad@nvidia.com> |
net/mlx5: Handle IPsec steering upon master unbind/bind When the master device is unbinded, make sure to clean up all of the steering rules or flow tables that were created over the master, in order to allow proper unbinding of master, and for ethernet traffic to continue to work independently. Upon bringing master device back up and attaching the slave to it, checks if the slave already has IPsec configured and if so reconfigure the rules needed to support RoCE traffic. Note that while master device is unbound, the user is unable to configure IPsec again, since they are in a kind of illegal state in which they are in MPV mode but the slave has no master. However if IPsec was configured before hand, it will continue to work for ethernet traffic while master is unbound, and would continue to work for all traffic when the master is bound back again. Signed-off-by: Patrisious Haddad <phaddad@nvidia.com> Reviewed-by: Mark Bloch <mbloch@nvidia.com> Link: https://lore.kernel.org/r/8434e88912c588affe51b34669900382a132e873.1695296682.git.leon@kernel.org Signed-off-by: Leon Romanovsky <leon@kernel.org>
|
#
eff5b663 |
|
21-Sep-2023 |
Patrisious Haddad <phaddad@nvidia.com> |
net/mlx5: Store devcom pointer inside IPsec RoCE Store the mlx5e priv devcom component within IPsec RoCE to enable the IPsec RoCE code to access the other device's private information. This includes retrieving the necessary device information and the IPsec database, which helps determine if IPsec is configured or not. Signed-off-by: Patrisious Haddad <phaddad@nvidia.com> Reviewed-by: Mark Bloch <mbloch@nvidia.com> Link: https://lore.kernel.org/r/5bb3160ceeb07523542302886da54c78eef0d2af.1695296682.git.leon@kernel.org Signed-off-by: Leon Romanovsky <leon@kernel.org>
|
#
8efd7b17 |
|
25-Aug-2023 |
Leon Romanovsky <leon@kernel.org> |
net/mlx5: Provide an interface to block change of IPsec capabilities mlx5 HW can't perform IPsec offload operation simultaneously both on PF and VFs at the same time. While the previous patches added devlink knobs to change IPsec capabilities dynamically, there is a need to add a logic to block such IPsec capabilities for the cases when IPsec is already configured. Signed-off-by: Leon Romanovsky <leonro@nvidia.com> Signed-off-by: Saeed Mahameed <saeedm@nvidia.com> Link: https://lore.kernel.org/r/20230825062836.103744-7-saeed@kernel.org Signed-off-by: Jakub Kicinski <kuba@kernel.org>
|
#
b8c697e1 |
|
08-Aug-2023 |
Leon Romanovsky <leon@kernel.org> |
net/mlx5e: Support IPsec upper TCP protocol selector Support TCP as protocol selector for policy and state in IPsec packet offload mode. Example of state configuration is as follows: ip xfrm state add src 192.168.25.3 dst 192.168.25.1 \ proto esp spi 1001 reqid 10001 aead 'rfc4106(gcm(aes))' \ 0x54a7588d36873b031e4bd46301be5a86b3a53879 128 mode transport \ offload packet dev re0 dir in sel src 192.168.25.3 dst 192.168.25.1 \ proto tcp dport 9003 Acked-by: Raed Salem <raeds@nvidia.com> Reviewed-by: Simon Horman <horms@kernel.org> Signed-off-by: Leon Romanovsky <leonro@nvidia.com> Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
|
#
c338325f |
|
08-Aug-2023 |
Emeel Hakim <ehakim@nvidia.com> |
net/mlx5e: Support IPsec upper protocol selector field offload for RX Support RX policy/state upper protocol selector field offload, to enable selecting RX traffic for IPsec operation based on l4 protocol UDP with specific source/destination port. Signed-off-by: Emeel Hakim <ehakim@nvidia.com> Reviewed-by: Raed Salem <raeds@nvidia.com> Reviewed-by: Simon Horman <horms@kernel.org> Signed-off-by: Leon Romanovsky <leonro@nvidia.com> Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
|
#
f5c5abc4 |
|
31-Jul-2023 |
Jianbo Liu <jianbol@nvidia.com> |
net/mlx5e: Prepare IPsec packet offload for switchdev mode As the uplink representor is created only in switchdev mode, add a local variable for IPsec to indicate the device is in this mode. In this mode, IPsec ROCE is disabled, and crypto offload is kept as it is. However, as the tables for packet offload are created in FDB, ipsec->rx_esw and ipsec->tx_esw are added. Signed-off-by: Jianbo Liu <jianbol@nvidia.com> Signed-off-by: Leon Romanovsky <leonro@nvidia.com> Link: https://lore.kernel.org/r/ee242398f3b0a18007749fe79ff6ff19445a0280.1690802064.git.leon@kernel.org Signed-off-by: Jakub Kicinski <kuba@kernel.org>
|
#
d6595493 |
|
18-Jul-2023 |
Leon Romanovsky <leon@kernel.org> |
net/mlx5e: Support IPsec NAT-T functionality Extend mlx5 IPsec packet offload to support UDP encapsulation of IPsec ESP packets. Signed-off-by: Leon Romanovsky <leonro@nvidia.com> Signed-off-by: Paolo Abeni <pabeni@redhat.com>
|
#
c75b9425 |
|
05-Jun-2023 |
Leon Romanovsky <leon@kernel.org> |
net/mlx5e: Drop XFRM state lock when modifying flow steering XFRM state which is changed to be XFRM_STATE_EXPIRED doesn't really need to hold lock while modifying flow steering rules to drop traffic. That state can be deleted only and as such mlx5e_ipsec_handle_tx_limit() work will be canceled anyway and won't run in parallel. Fixes: b2f7b01d36a9 ("net/mlx5e: Simulate missing IPsec TX limits hardware functionality") Signed-off-by: Leon Romanovsky <leonro@nvidia.com> Reviewed-by: Simon Horman <simon.horman@corigine.com> Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
|
#
cf5bb023 |
|
05-Jun-2023 |
Leon Romanovsky <leon@kernel.org> |
net/mlx5e: Don't delay release of hardware objects XFRM core provides two callbacks to release resources, one is .xdo_dev_policy_delete() and another is .xdo_dev_policy_free(). This separation allows delayed release so "ip xfrm policy free" commands won't starve. Unfortunately, mlx5 command interface can't run in .xdo_dev_policy_free() callbacks as the latter runs in ATOMIC context. BUG: scheduling while atomic: swapper/7/0/0x00000100 Modules linked in: act_mirred act_tunnel_key cls_flower sch_ingress vxlan mlx5_vdpa vringh vhost_iotlb vdpa rpcrdma rdma_ucm ib_iser libiscsi ib_umad scsi_transport_iscsi rdma_cm ib_ipoib iw_cm ib_cm mlx5_ib ib_uverbs ib_core xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xt_addrtype iptable_nat nf_nat br_netfilter rpcsec_gss_krb5 auth_rpcgss oid_registry overlay mlx5_core zram zsmalloc fuse CPU: 7 PID: 0 Comm: swapper/7 Not tainted 6.3.0+ #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 Call Trace: <IRQ> dump_stack_lvl+0x33/0x50 __schedule_bug+0x4e/0x60 __schedule+0x5d5/0x780 ? __mod_timer+0x286/0x3d0 schedule+0x50/0x90 schedule_timeout+0x7c/0xf0 ? __bpf_trace_tick_stop+0x10/0x10 __wait_for_common+0x88/0x190 ? usleep_range_state+0x90/0x90 cmd_exec+0x42e/0xb40 [mlx5_core] mlx5_cmd_do+0x1e/0x40 [mlx5_core] mlx5_cmd_exec+0x18/0x30 [mlx5_core] mlx5_cmd_delete_fte+0xa8/0xd0 [mlx5_core] del_hw_fte+0x60/0x120 [mlx5_core] mlx5_del_flow_rules+0xec/0x270 [mlx5_core] ? default_send_IPI_single_phys+0x26/0x30 mlx5e_accel_ipsec_fs_del_pol+0x1a/0x60 [mlx5_core] mlx5e_xfrm_free_policy+0x15/0x20 [mlx5_core] xfrm_policy_destroy+0x5a/0xb0 xfrm4_dst_destroy+0x7b/0x100 dst_destroy+0x37/0x120 rcu_core+0x2d6/0x540 __do_softirq+0xcd/0x273 irq_exit_rcu+0x82/0xb0 sysvec_apic_timer_interrupt+0x72/0x90 </IRQ> <TASK> asm_sysvec_apic_timer_interrupt+0x16/0x20 RIP: 0010:default_idle+0x13/0x20 Code: c0 08 00 00 00 4d 29 c8 4c 01 c7 4c 29 c2 e9 72 ff ff ff cc cc cc cc 8b 05 7a 4d ee 00 85 c0 7e 07 0f 00 2d 2f 98 2e 00 fb f4 <fa> c3 66 66 2e 0f 1f 84 00 00 00 00 00 65 48 8b 04 25 40 b4 02 00 RSP: 0018:ffff888100843ee0 EFLAGS: 00000242 RAX: 0000000000000001 RBX: ffff888100812b00 RCX: 4000000000000000 RDX: 0000000000000001 RSI: 0000000000000083 RDI: 000000000002d2ec RBP: 0000000000000007 R08: 00000021daeded59 R09: 0000000000000001 R10: 0000000000000000 R11: 000000000000000f R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 default_idle_call+0x30/0xb0 do_idle+0x1c1/0x1d0 cpu_startup_entry+0x19/0x20 start_secondary+0xfe/0x120 secondary_startup_64_no_verify+0xf3/0xfb </TASK> bad: scheduling from the idle thread! Fixes: a5b8ca9471d3 ("net/mlx5e: Add XFRM policy offload logic") Signed-off-by: Leon Romanovsky <leonro@nvidia.com> Reviewed-by: Simon Horman <simon.horman@corigine.com> Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
|
#
45fd01f2 |
|
20-Apr-2023 |
Leon Romanovsky <leon@kernel.org> |
net/mlx5e: Refactor duplicated code in mlx5e_ipsec_init_macs ARP discovery code has same logic for RX and TX flows, but with different source and destination fields. Instead of duplicating same code in mlx5e_ipsec_init_macs, let's refactor. Signed-off-by: Leon Romanovsky <leonro@nvidia.com> Reviewed-by: Simon Horman <simon.horman@corigine.com> Signed-off-by: David S. Miller <davem@davemloft.net>
|
#
94edec44 |
|
20-Apr-2023 |
Leon Romanovsky <leon@kernel.org> |
net/mlx5e: Properly release work data structure There are some flows in which work structure is not allocated at all and it is needed to be checked prior release of data structure. general protection fault, probably for non-canonical address 0xdffffc000000000a: 0000 [#1] SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000050-0x0000000000000057] CPU: 6 PID: 3486 Comm: kworker/6:0 Not tainted 6.3.0-rc5_for_upstream_debug_2023_04_06_11_01 #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 Workqueue: events xfrm_state_gc_task RIP: 0010:mlx5e_xfrm_free_state+0x177/0x260 [mlx5_core] Code: c1 ea 03 80 3c 02 00 0f 85 f5 00 00 00 4c 8b a5 08 01 00 00 48 b8 00 00 00 00 00 fc ff df 49 8d 7c 24 50 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 b7 00 00 00 49 8b 7c 24 50 e8 85 7c 09 e0 4c 89 RSP: 0018:ffff888137a8fc50 EFLAGS: 00010206 RAX: dffffc0000000000 RBX: ffff888180398000 RCX: 0000000000000000 RDX: 000000000000000a RSI: ffffffffa1878227 RDI: 0000000000000050 RBP: ffff88812a0c8000 R08: ffff888137a8fb60 R09: 0000000000000000 R10: fffffbfff09aba0c R11: 0000000000000001 R12: 0000000000000000 R13: ffff88812a0c8108 R14: ffffffff84c63480 R15: ffff8881acb63118 FS: 0000000000000000(0000) GS:ffff88881eb00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f667e8bc000 CR3: 0000000004693006 CR4: 0000000000370ea0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: ___xfrm_state_destroy+0x3c8/0x5e0 xfrm_state_gc_task+0xf6/0x140 ? ___xfrm_state_destroy+0x5e0/0x5e0 process_one_work+0x7c2/0x1340 ? lockdep_hardirqs_on_prepare+0x3f0/0x3f0 ? pwq_dec_nr_in_flight+0x230/0x230 ? spin_bug+0x1d0/0x1d0 worker_thread+0x59d/0xec0 ? __kthread_parkme+0xd9/0x1d0 ? process_one_work+0x1340/0x1340 kthread+0x28f/0x330 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork+0x1f/0x30 Modules linked in: sch_ingress openvswitch nsh mlx5_vdpa vringh vhost_iotlb vdpa mlx5_ib mlx5_core xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xt_addrtype iptable_nat nf_nat br_netfilter rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_iscsi rdma_cm iw_cm ib_umad ib_ipoib ib_cm ib_uverbs ib_core vfio_pci vfio_pci_core vfio_iommu_type1 vfio cuse overlay zram zsmalloc fuse [last unloaded: mlx5_core] ---[ end trace 0000000000000000 ]--- Fixes: 4562116f8a56 ("net/mlx5e: Generalize IPsec work structs") Signed-off-by: Leon Romanovsky <leonro@nvidia.com> Reviewed-by: Simon Horman <simon.horman@corigine.com> Signed-off-by: David S. Miller <davem@davemloft.net>
|
#
697b3518 |
|
20-Apr-2023 |
Leon Romanovsky <leon@kernel.org> |
net/mlx5e: Don't overwrite extack message returned from IPsec SA validator Addition of new err_xfrm label caused to error messages be overwritten. Fix it by using proper NL_SET_ERR_MSG_WEAK_MOD macro together with change in a default message. Fixes: aa8bd0c9518c ("net/mlx5e: Support IPsec acquire default SA") Reviewed-by: Raed Salem <raeds@nvidia.com> Signed-off-by: Leon Romanovsky <leonro@nvidia.com> Reviewed-by: Simon Horman <simon.horman@corigine.com> Signed-off-by: David S. Miller <davem@davemloft.net>
|
#
c941da23 |
|
13-Apr-2023 |
Leon Romanovsky <leon@kernel.org> |
net/mlx5e: Accept tunnel mode for IPsec packet offload Open mlx5 driver to accept IPsec tunnel mode. Signed-off-by: Leon Romanovsky <leonro@nvidia.com> Reviewed-by: Simon Horman <simon.horman@corigine.com> Reviewed-by: Sridhar Samudrala <sridhar.samudrala@intel.com> Signed-off-by: Jakub Kicinski <kuba@kernel.org>
|
#
146c196b |
|
13-Apr-2023 |
Leon Romanovsky <leon@kernel.org> |
net/mlx5e: Create IPsec table with tunnel support only when encap is disabled Current hardware doesn't support double encapsulation which is happening when IPsec packet offload tunnel mode is configured together with eswitch encap option. Any user attempt to add new SA/policy after he/she sets encap mode, will generate the following FW syndrome: mlx5_core 0000:08:00.0: mlx5_cmd_out_err:803:(pid 1904): CREATE_FLOW_TABLE(0x930) op_mod(0x0) failed, status bad parameter(0x3), syndrome (0xa43321), err(-22) Make sure that we block encap changes before creating flow steering tables. This is applicable only for packet offload in tunnel mode, while packet offload in transport mode and crypto offload, don't have such limitation as they don't perform encapsulation. Reviewed-by: Raed Salem <raeds@nvidia.com> Signed-off-by: Leon Romanovsky <leonro@nvidia.com> Reviewed-by: Simon Horman <simon.horman@corigine.com> Reviewed-by: Sridhar Samudrala <sridhar.samudrala@intel.com> Signed-off-by: Jakub Kicinski <kuba@kernel.org>
|
#
4c24272b |
|
13-Apr-2023 |
Leon Romanovsky <leon@kernel.org> |
net/mlx5e: Listen to ARP events to update IPsec L2 headers in tunnel mode In IPsec packet offload mode all header manipulations are performed by hardware, which is responsible to add/remove L2 header with source and destinations MACs. CX-7 devices don't support offload of in-kernel routing functionality, as such HW needs external help to fill other side MAC as it isn't available for HW. As a solution, let's listen to neigh ARP updates and reconfigure IPsec rules on the fly once new MAC data information arrives. Signed-off-by: Leon Romanovsky <leonro@nvidia.com> Reviewed-by: Simon Horman <simon.horman@corigine.com> Reviewed-by: Sridhar Samudrala <sridhar.samudrala@intel.com> Signed-off-by: Jakub Kicinski <kuba@kernel.org>
|
#
efbd31c4 |
|
13-Apr-2023 |
Leon Romanovsky <leon@kernel.org> |
net/mlx5e: Support IPsec TX packet offload in tunnel mode Extend mlx5 driver with logic to support IPsec TX packet offload in tunnel mode. Signed-off-by: Leon Romanovsky <leonro@nvidia.com> Reviewed-by: Simon Horman <simon.horman@corigine.com> Reviewed-by: Sridhar Samudrala <sridhar.samudrala@intel.com> Signed-off-by: Jakub Kicinski <kuba@kernel.org>
|
#
37a417ca |
|
13-Apr-2023 |
Leon Romanovsky <leon@kernel.org> |
net/mlx5e: Support IPsec RX packet offload in tunnel mode Extend mlx5 driver with logic to support IPsec RX packet offload in tunnel mode. Signed-off-by: Leon Romanovsky <leonro@nvidia.com> Reviewed-by: Simon Horman <simon.horman@corigine.com> Reviewed-by: Sridhar Samudrala <sridhar.samudrala@intel.com> Signed-off-by: Jakub Kicinski <kuba@kernel.org>
|
#
6480a3b6 |
|
13-Apr-2023 |
Leon Romanovsky <leon@kernel.org> |
net/mlx5e: Prepare IPsec packet reformat code for tunnel mode Refactor setup_pkt_reformat() function to accommodate future extension to support tunnel mode. Signed-off-by: Leon Romanovsky <leonro@nvidia.com> Reviewed-by: Simon Horman <simon.horman@corigine.com> Reviewed-by: Sridhar Samudrala <sridhar.samudrala@intel.com> Signed-off-by: Jakub Kicinski <kuba@kernel.org>
|
#
b2f7b01d |
|
30-Mar-2023 |
Leon Romanovsky <leon@kernel.org> |
net/mlx5e: Simulate missing IPsec TX limits hardware functionality ConnectX-7 devices don't have ability to send TX hard/soft limits events. As a possible workaround, let's rely on existing infrastructure and use periodic check of cached flow counter. In these periodic checks, we call to xfrm_state_check_expire() to check and mark state accordingly. Once the state is marked as XFRM_STATE_EXPIRED, the SA flow rule is changed to drop all the traffic. Link: https://lore.kernel.org/r/94a5d82c0c399747117d8a558f9beebfbcf26154.1680162300.git.leonro@nvidia.com Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
|
#
4562116f |
|
30-Mar-2023 |
Leon Romanovsky <leon@kernel.org> |
net/mlx5e: Generalize IPsec work structs IPsec logic has two work structs which are submitted to same workqueue. As a preparation to addition of new work which needs to be submitted too, let's generalize struct mlx5e_ipsec_work. Link: https://lore.kernel.org/r/285a1550242363de181bab3a07a69296f66ad9a8.1680162300.git.leonro@nvidia.com Reviewed-by: Raed Salem <raeds@nvidia.com> Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
|
#
20fbdab2 |
|
30-Mar-2023 |
Leon Romanovsky <leon@kernel.org> |
net/mlx5e: Reduce contention in IPsec workqueue IPsec workqueue shouldn't be declared as ordered queue with one work per-CPU, and can be safely changed to be unordered with default number of works per-CPU. Link: https://lore.kernel.org/r/5dc224a4decd09c14f645d38173e1a1710802cd8.1680162300.git.leonro@nvidia.com Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
|
#
7db21ef4 |
|
30-Mar-2023 |
Leon Romanovsky <leon@kernel.org> |
net/mlx5e: Set IPsec replay sequence numbers "ip xfrm state ..." command allows users to configure replay sequence numbers with replay-seq* arguments for RX and replay-oseq* for TX. Add the needed driver logic to support setting them. Link: https://lore.kernel.org/r/a9b17827eff2b29a4951225efa684a6cd38f74fe.1680162300.git.leonro@nvidia.com Reviewed-by: Raed Salem <raeds@nvidia.com> Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
|
#
f4979e26 |
|
30-Mar-2023 |
Leon Romanovsky <leon@kernel.org> |
net/mlx5e: Remove ESN callbacks if it is not supported There is no need in implementation of .xdo_dev_state_advance_esn() and setting work as it will never be called in packet offload mode. Link: https://lore.kernel.org/r/2fc9fade32e31f03b100d6086a82ad36269349dc.1680162300.git.leonro@nvidia.com Reviewed-by: Raed Salem <raeds@nvidia.com> Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
|
#
d05971a4 |
|
30-Mar-2023 |
Leon Romanovsky <leon@kernel.org> |
net/mlx5e: Add SW implementation to support IPsec 64 bit soft and hard limits The CX7 cards which support IPsec packet offload use 32 bits to configure soft and hard packet limits. This is not enough as the software part using 64 bits. The needed functionality of supporting 64 bits is implemented through mlx5 abstraction layer, which will ensure that HW is reconfigured on-demand every 2^31 packets. To simulate the 64 bit IPsec soft/hard limits, we divide the soft/hard limits to multiple interrupts (rounds). Each round counts 2^31 packets. Once the counter is less than or equal to 2^31, the soft event is raised and software sets the bit 31 of the counter and decrement the round counter. Link: https://lore.kernel.org/r/5a86c890b6dccb6865acf9042a8b03f899d1f3f9.1680162300.git.leonro@nvidia.com Reviewed-by: Raed Salem <raeds@nvidia.com> Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
|
#
2da961d2 |
|
30-Mar-2023 |
Leon Romanovsky <leon@kernel.org> |
net/mlx5e: Prevent zero IPsec soft/hard limits Hardware triggers limit events when the packets arrive and are processed through the device. In case zero was configured as a limit, the HW won't be able to arm event as it happens at the end of execution pipeline. Let's prevent such configuration. Link: https://lore.kernel.org/r/80d0ba33e21fb28b1b91d306d1da39df3d990b68.1680162300.git.leonro@nvidia.com Reviewed-by: Raed Salem <raeds@nvidia.com> Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
|
#
5a6cddb8 |
|
14-Mar-2023 |
Raed Salem <raeds@nvidia.com> |
net/mlx5e: Update IPsec per SA packets/bytes count Providing per SA packets/bytes statistics mandates creating unique counter per SA flow for Rx/Tx, whenever offloaded SA statistics is desired query the specific SA counter to provide the stack with the needed data. Signed-off-by: Raed Salem <raeds@nvidia.com> Link: https://lore.kernel.org/r/7d5ce20ac495f3054afb633128700e7b7eeeb3cd.1678714336.git.leon@kernel.org Signed-off-by: Leon Romanovsky <leon@kernel.org>
|
#
aa8bd0c9 |
|
14-Mar-2023 |
Raed Salem <raeds@nvidia.com> |
net/mlx5e: Support IPsec acquire default SA During XFRM stack acquire flow, a default SA is created to be updated later, once acquire netlink message is handled in user space. This SA is also passed to IPsec offload supporting driver, however this SA acts only as placeholder and does not have context suitable for offloading in HW yet. Identify this kind of SA by special offload flag (XFRM_DEV_OFFLOAD_FLAG_ACQ), and create a SW only context. In such cases with special mark so it won't be installed in HW in addition flow and on remove/delete free this SW only context. Signed-off-by: Raed Salem <raeds@nvidia.com> Link: https://lore.kernel.org/r/8f36d6b61631dcd73fef0a0ac623456030bc9db0.1678714336.git.leon@kernel.org Signed-off-by: Leon Romanovsky <leon@kernel.org>
|
#
b3beba1f |
|
14-Mar-2023 |
Raed Salem <raeds@nvidia.com> |
net/mlx5e: Allow policies with reqid 0, to support IKE policy holes IKE policies hole, is special policy that exists to allow for IKE traffic to bypass IPsec encryption even though there is already a policies and SA(s) configured on same endpoints, these policies does not nessecarly have the reqid configured, so need to add an exception for such policies. These kind of policies are allowed under the condition that at least upper protocol and/or ips are not 0. Signed-off-by: Raed Salem <raeds@nvidia.com> Link: https://lore.kernel.org/r/cbcadde312c24de74c47d9b0616f86a5818cc9bf.1678714336.git.leon@kernel.org Signed-off-by: Leon Romanovsky <leon@kernel.org>
|
#
fa5aa2f8 |
|
14-Mar-2023 |
Paul Blakey <paulb@nvidia.com> |
net/mlx5e: Use chains for IPsec policy priority offload Currently, policy priority field is ignored and so order of matching is unpredictable. Use chains for RX/TX policy offload to support the priority field. Signed-off-by: Paul Blakey <paulb@nvidia.com> Reviewed-by: Raed Salem <raeds@nvidia.com> Link: https://lore.kernel.org/r/9ef3ef88858217932696ad413b1b147b799a11be.1678714336.git.leon@kernel.org Signed-off-by: Leon Romanovsky <leon@kernel.org>
|
#
a7385187 |
|
11-Jan-2023 |
Raed Salem <raeds@nvidia.com> |
net/mlx5e: IPsec, support upper protocol selector field offload Add support to policy/state upper protocol selector field offload, this will enable to select traffic for IPsec operation based on l4 protocol (TCP/UDP) with specific source/destination port. Signed-off-by: Raed Salem <raeds@nvidia.com> Reviewed-by: Leon Romanovsky <leonro@nvidia.com> Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
|
#
902812b8 |
|
24-Jan-2023 |
Leon Romanovsky <leon@kernel.org> |
net/mlx5e: Fill IPsec state validation failure reason Rely on extack to return failure reason. Signed-off-by: Leon Romanovsky <leonro@nvidia.com> Signed-off-by: Jakub Kicinski <kuba@kernel.org>
|
#
7681a4f5 |
|
24-Jan-2023 |
Leon Romanovsky <leon@kernel.org> |
xfrm: extend add state callback to set failure reason Almost all validation logic is in the drivers, but they are missing reliable way to convey failure reason to userspace applications. Let's use extack to return this information to users. Signed-off-by: Leon Romanovsky <leonro@nvidia.com> Signed-off-by: Jakub Kicinski <kuba@kernel.org>
|
#
1bb70c5a |
|
24-Jan-2023 |
Leon Romanovsky <leon@kernel.org> |
net/mlx5e: Fill IPsec policy validation failure reason Rely on extack to return failure reason. Signed-off-by: Leon Romanovsky <leonro@nvidia.com> Signed-off-by: Jakub Kicinski <kuba@kernel.org>
|
#
3089386d |
|
24-Jan-2023 |
Leon Romanovsky <leon@kernel.org> |
xfrm: extend add policy callback to set failure reason Almost all validation logic is in the drivers, but they are missing reliable way to convey failure reason to userspace applications. Let's use extack to return this information to users. Signed-off-by: Leon Romanovsky <leonro@nvidia.com> Signed-off-by: Jakub Kicinski <kuba@kernel.org>
|
#
37d244ad |
|
02-Dec-2022 |
Leon Romanovsky <leon@kernel.org> |
net/mlx5e: Open mlx5 driver to accept IPsec packet offload Enable configuration of IPsec packet offload through XFRM state add interface together with moving specific to IPsec packet mode limitations to specific switch-case section. Reviewed-by: Raed Salem <raeds@nvidia.com> Signed-off-by: Leon Romanovsky <leonro@nvidia.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
|
#
cee137a6 |
|
02-Dec-2022 |
Leon Romanovsky <leon@kernel.org> |
net/mlx5e: Handle ESN update events Extend event logic to update ESN state (esn_msb, esn_overlap) for an IPsec Offload context. Reviewed-by: Saeed Mahameed <saeedm@nvidia.com> Signed-off-by: Leon Romanovsky <leonro@nvidia.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
|
#
8c582ddf |
|
02-Dec-2022 |
Leon Romanovsky <leon@kernel.org> |
net/mlx5e: Handle hardware IPsec limits events Enable object changed event to signal IPsec about hitting soft and hard limits. Signed-off-by: Leon Romanovsky <leonro@nvidia.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
|
#
1ed78fc0 |
|
02-Dec-2022 |
Leon Romanovsky <leon@kernel.org> |
net/mlx5e: Update IPsec soft and hard limits Implement mlx5 IPsec callback to update current lifetime counters. Signed-off-by: Leon Romanovsky <leonro@nvidia.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
|
#
403b383a |
|
02-Dec-2022 |
Leon Romanovsky <leon@kernel.org> |
net/mlx5e: Store all XFRM SAs in Xarray Instead of performing custom hash calculations, rely on FW that returns unique identifier to every created SA. That identifier is Xarray ready, which provides better semantic with efficient access. In addition, store both TX and RX SAs to allow correlation between event generated by HW when limits are armed and XFRM states. Signed-off-by: Leon Romanovsky <leonro@nvidia.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
|
#
67212396 |
|
02-Dec-2022 |
Leon Romanovsky <leon@kernel.org> |
net/mlx5e: Skip IPsec encryption for TX path without matching policy Software implementation of IPsec skips encryption of packets in TX path if no matching policy is found. So align HW implementation to this behavior, by requiring matching reqid for offloaded policy and SA. Reviewed-by: Raed Salem <raeds@nvidia.com> Reviewed-by: Saeed Mahameed <saeedm@nvidia.com> Signed-off-by: Leon Romanovsky <leonro@nvidia.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
|
#
6b5c45e1 |
|
02-Dec-2022 |
Leon Romanovsky <leon@kernel.org> |
net/mlx5e: Configure IPsec packet offload flow steering In packet offload mode, the HW is responsible to handle ESP headers, SPI numbers and trailers (ICV) together with different logic for RX and TX paths. In order to support packet offload mode, special logic is added to flow steering rules. Reviewed-by: Raed Salem <raeds@nvidia.com> Reviewed-by: Saeed Mahameed <saeedm@nvidia.com> Signed-off-by: Leon Romanovsky <leonro@nvidia.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
|
#
a5b8ca94 |
|
02-Dec-2022 |
Leon Romanovsky <leon@kernel.org> |
net/mlx5e: Add XFRM policy offload logic Implement mlx5 flow steering logic and mlx5 IPsec code support XFRM policy offload. Reviewed-by: Raed Salem <raeds@nvidia.com> Reviewed-by: Saeed Mahameed <saeedm@nvidia.com> Signed-off-by: Leon Romanovsky <leonro@nvidia.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
|
#
8d15f364 |
|
02-Dec-2022 |
Leon Romanovsky <leon@kernel.org> |
net/mlx5e: Create hardware IPsec packet offload objects Create initial hardware IPsec packet offload object and connect it to advanced steering operation (ASO) context and queue, so the data path can communicate with the stack. Reviewed-by: Raed Salem <raeds@nvidia.com> Reviewed-by: Saeed Mahameed <saeedm@nvidia.com> Signed-off-by: Leon Romanovsky <leonro@nvidia.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
|
#
8518d05b |
|
02-Dec-2022 |
Leon Romanovsky <leon@kernel.org> |
net/mlx5e: Create Advanced Steering Operation object for IPsec Setup the ASO (Advanced Steering Operation) object that is needed for IPsec to interact with SW stack about various fast changing events: replay window, lifetime limits, e.t.c Reviewed-by: Raed Salem <raeds@nvidia.com> Signed-off-by: Leon Romanovsky <leonro@nvidia.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
|
#
c7049ca6 |
|
02-Dec-2022 |
Leon Romanovsky <leon@kernel.org> |
net/mlx5e: Remove accesses to priv for low level IPsec FS code mlx5 priv structure is driver main structure that holds high level data. That information is not needed for IPsec flow steering logic and the pointer to mlx5e_priv was not supposed to be passed in the first place. This change "cleans" the logic to rely on internal to IPsec structures without touching global mlx5e_priv. Reviewed-by: Raed Salem <raeds@nvidia.com> Reviewed-by: Saeed Mahameed <saeedm@nvidia.com> Signed-off-by: Leon Romanovsky <leonro@nvidia.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
|
#
e3840530 |
|
02-Dec-2022 |
Leon Romanovsky <leon@kernel.org> |
net/mlx5e: Remove extra layers of defines Instead of performing redefinition of XFRM core defines to same values but with MLX5_* prefix, cache the input values as is by making sure that the proper storage objects are used. Reviewed-by: Raed Salem <raeds@nvidia.com> Reviewed-by: Saeed Mahameed <saeedm@nvidia.com> Signed-off-by: Leon Romanovsky <leonro@nvidia.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
|
#
cded6d80 |
|
02-Dec-2022 |
Leon Romanovsky <leon@kernel.org> |
net/mlx5e: Store replay window in XFRM attributes As a preparation for future extension of IPsec hardware object to allow configuration of packet offload mode, extend the XFRM validator to check replay window values. Reviewed-by: Raed Salem <raeds@nvidia.com> Reviewed-by: Saeed Mahameed <saeedm@nvidia.com> Signed-off-by: Leon Romanovsky <leonro@nvidia.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
|
#
62f6eca5 |
|
02-Dec-2022 |
Leon Romanovsky <leon@kernel.org> |
xfrm: allow state packet offload mode Allow users to configure xfrm states with packet offload mode. The packet mode must be requested both for policy and state, and such requires us to do not implement fallback. We explicitly return an error if requested packet mode can't be configured. Reviewed-by: Raed Salem <raeds@nvidia.com> Signed-off-by: Leon Romanovsky <leonro@nvidia.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
|
#
953d7715 |
|
22-Aug-2022 |
Leon Romanovsky <leon@kernel.org> |
net/mlx5e: Support devlink reload of IPsec core Change IPsec initialization flow to allow future creation of hardware resources that should be released and allocated during devlink reload operation. As part of that change, update function signature to be void as no callers are actually interested in it. Reviewed-by: Saeed Mahameed <saeedm@nvidia.com> Signed-off-by: Leon Romanovsky <leonro@nvidia.com> Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
|
#
888be6b2 |
|
26-Oct-2022 |
Hyong Youb Kim <hyonkim@cisco.com> |
net/mlx5e: Do not increment ESN when updating IPsec ESN state An offloaded SA stops receiving after about 2^32 + replay_window packets. For example, when SA reaches <seq-hi 0x1, seq 0x2c>, all subsequent packets get dropped with SA-icv-failure (integrity_failed). To reproduce the bug: - ConnectX-6 Dx with crypto enabled (FW 22.30.1004) - ipsec.conf: nic-offload = yes replay-window = 32 esn = yes salifetime=24h - Run netperf for a long time to send more than 2^32 packets netperf -H <device-under-test> -t TCP_STREAM -l 20000 When 2^32 + replay_window packets are received, the replay window moves from the 2nd half of subspace (overlap=1) to the 1st half (overlap=0). The driver then updates the 'esn' value in NIC (i.e. seq_hi) as follows. seq_hi = xfrm_replay_seqhi(seq_bottom) new esn in NIC = seq_hi + 1 The +1 increment is wrong, as seq_hi already contains the correct seq_hi. For example, when seq_hi=1, the driver actually tells NIC to use seq_hi=2 (esn). This incorrect esn value causes all subsequent packets to fail integrity checks (SA-icv-failure). So, do not increment. Fixes: cb01008390bb ("net/mlx5: IPSec, Add support for ESN") Signed-off-by: Hyong Youb Kim <hyonkim@cisco.com> Acked-by: Leon Romanovsky <leonro@nvidia.com> Signed-off-by: Saeed Mahameed <saeedm@nvidia.com> Link: https://lore.kernel.org/r/20221026135153.154807-2-saeed@kernel.org Signed-off-by: Jakub Kicinski <kuba@kernel.org>
|
#
3ef535ec |
|
05-May-2022 |
Leon Romanovsky <leon@kernel.org> |
net/mlx5e: Use XFRM state direction instead of flags Convert mlx5 driver to use XFRM state direction. Reviewed-by: Raed Salem <raeds@nvidia.com> Signed-off-by: Leon Romanovsky <leonro@nvidia.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
|
#
6cd2126a |
|
27-Mar-2022 |
Leon Romanovsky <leon@kernel.org> |
net/mlx5: Cleanup XFRM attributes struct Remove everything that is not used or from mlx5_accel_esp_xfrm_attrs, together with change type of spi to store proper type from the beginning. Reviewed-by: Raed Salem <raeds@nvidia.com> Signed-off-by: Leon Romanovsky <leonro@nvidia.com> Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
|
#
effbe267 |
|
20-Mar-2022 |
Leon Romanovsky <leon@kernel.org> |
net/mlx5: Simplify IPsec capabilities logic Reduce number of hard-coded IPsec capabilities by making sure that mlx5_ipsec_device_caps() sets only supported bits. As part of this change, remove _ACCEL_ notations from the capabilities names as they represent IPsec-capable device, so it is aligned with MLX5_CAP_IPSEC() macro. And prepare the code to IPsec full offload mode. Reviewed-by: Raed Salem <raeds@nvidia.com> Signed-off-by: Leon Romanovsky <leonro@nvidia.com> Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
|
#
a8444b0b |
|
20-Mar-2022 |
Leon Romanovsky <leon@kernel.org> |
net/mlx5: Don't advertise IPsec netdev support for non-IPsec device Device that lacks proper IPsec capabilities won't pass mlx5e_ipsec_init() later, so no need to advertise HW netdev offload support for something that isn't going to work anyway. Fixes: 8ad893e516a7 ("net/mlx5e: Remove dependency in IPsec initialization flows") Reviewed-by: Raed Salem <raeds@nvidia.com> Signed-off-by: Leon Romanovsky <leonro@nvidia.com> Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
|
#
82f7bdba |
|
10-Mar-2022 |
Leon Romanovsky <leon@kernel.org> |
net/mlx5: Clean IPsec FS add/delete rules Reuse existing struct to pass parameters instead of open code them. Reviewed-by: Raed Salem <raeds@nvidia.com> Signed-off-by: Leon Romanovsky <leonro@nvidia.com> Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
|
#
b73e6728 |
|
09-Mar-2022 |
Leon Romanovsky <leon@kernel.org> |
net/mlx5: Simplify HW context interfaces by using SA entry SA context logic used multiple structures to store same data over and over. By simplifying the SA context interfaces, we can remove extra structs. Reviewed-by: Raed Salem <raeds@nvidia.com> Signed-off-by: Leon Romanovsky <leonro@nvidia.com> Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
|
#
c6e3b421 |
|
09-Mar-2022 |
Leon Romanovsky <leon@kernel.org> |
net/mlx5: Merge various control path IPsec headers into one file The mlx5 IPsec code has logical separation between code that operates with XFRM objects (ipsec.c), HW objects (ipsec_offload.c), flow steering logic (ipsec_fs.c) and data path (ipsec_rxtx.c). Such separation makes sense for C-files, but isn't needed at all for H-files as they are included in batch anyway. Reviewed-by: Raed Salem <raeds@nvidia.com> Signed-off-by: Leon Romanovsky <leonro@nvidia.com> Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
|
#
c674df97 |
|
08-Mar-2022 |
Leon Romanovsky <leon@kernel.org> |
net/mlx5: Store IPsec ESN update work in XFRM state mlx5 IPsec code updated ESN through workqueue with allocation calls in the data path, which can be saved easily if the work is created during XFRM state initialization routine. The locking used later in the work didn't protect from anything because change of HW context is possible during XFRM state add or delete only, which can cancel work and make sure that it is not running. Reviewed-by: Raed Salem <raeds@nvidia.com> Signed-off-by: Leon Romanovsky <leonro@nvidia.com> Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
|
#
a05a5469 |
|
02-Mar-2022 |
Leon Romanovsky <leon@kernel.org> |
net/mlx5: Reduce useless indirection in IPsec FS add/delete flows There is no need in one-liners wrappers to call internal functions. Let's remove them. Reviewed-by: Raed Salem <raeds@nvidia.com> Signed-off-by: Leon Romanovsky <leonro@nvidia.com> Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
|
#
021a429b |
|
01-Mar-2022 |
Leon Romanovsky <leon@kernel.org> |
net/mlx5: Don't hide fallback to software IPsec in FS code The XFRM code performs fallback to software IPsec if .xdo_dev_state_add() returns -EOPNOTSUPP. This is what mlx5 did very deep in its stack trace, despite have all the knowledge that IPsec is not going to work in very early stage. This is achieved by making sure that priv->ipsec pointer is valid for fully working and supported hardware crypto IPsec engine. In case, the hardware IPsec is not supported, the XFRM code will set NULL to xso->dev and it will prevent from calls to various .xdo_dev_state_*() callbacks. Reviewed-by: Raed Salem <raeds@nvidia.com> Signed-off-by: Leon Romanovsky <leonro@nvidia.com> Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
|
#
9af1968e |
|
06-Mar-2022 |
Leon Romanovsky <leon@kernel.org> |
net/mlx5: Check IPsec TX flow steering namespace in advance Ensure that flow steering is usable as early as possible, to understand if crypto IPsec is supported or not. Reviewed-by: Raed Salem <raeds@nvidia.com> Reviewed-by: Saeed Mahameed <saeedm@nvidia.com> Signed-off-by: Leon Romanovsky <leonro@nvidia.com> Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
|
#
301e0be8 |
|
06-Mar-2022 |
Leon Romanovsky <leon@kernel.org> |
net/mlx5: Simplify IPsec flow steering init/cleanup functions Remove multiple function wrappers to make sure that IPsec FS initialization and cleanup functions present in one place to help with code readability. Reviewed-by: Raed Salem <raeds@nvidia.com> Signed-off-by: Leon Romanovsky <leonro@nvidia.com> Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
|
#
2451da08 |
|
06-Apr-2022 |
Leon Romanovsky <leon@kernel.org> |
net/mlx5: Unify device IPsec capabilities check Merge two different function to one in order to provide coherent picture if the device is IPsec capable or not. Link: https://lore.kernel.org/r/8f10ea06ad19c6f651e9fb33921009658f01e1d5.1649232994.git.leonro@nvidia.com Reviewed-by: Raed Salem <raeds@nvidia.com> Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
|
#
5a985aa3 |
|
06-Apr-2022 |
Leon Romanovsky <leon@kernel.org> |
net/mlx5: Remove useless IPsec device checks The mlx5_is_ipsec_device() check was to distinguish ConnectX device related ops from FPGA, so post removing FPGA IPsec code this check can be removed as no other device implements it. It is safe to do it as there is already embedded check of IPsec device in mlx5_accel_ipsec_device_caps(). Link: https://lore.kernel.org/r/e45362abfcabe18e8af20ec8d1acdc99355978f3.1649232994.git.leonro@nvidia.com Reviewed-by: Raed Salem <raeds@nvidia.com> Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
|
#
de8bdb47 |
|
06-Apr-2022 |
Leon Romanovsky <leon@kernel.org> |
RDMA/mlx5: Drop crypto flow steering API The mlx5 flow steering crypto API was intended to be used in FPGA devices, which is not supported for years already. The removal of mlx5 crypto FPGA code together with inability to configure encryption keys makes the low steering API completely unusable. So delete the code, so any ESP flow steering requests will fail with not supported error, as it is happening now anyway as no device support this type of API. Link: https://lore.kernel.org/r/634a5face7734381463d809bfb89850f6998deac.1649232994.git.leonro@nvidia.com Reviewed-by: Raed Salem <raeds@nvidia.com> Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
|
#
3c811a6b |
|
06-Apr-2022 |
Leon Romanovsky <leon@kernel.org> |
net/mlx5: Remove XFRM no_trailer flag Only FPGA needed this NO_TRAILER flag, so remove this assignment. Link: https://lore.kernel.org/r/636d75421e1ca4254a062537eea001ab0e50e19b.1649232994.git.leonro@nvidia.com Reviewed-by: Raed Salem <raeds@nvidia.com> Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
|
#
501a9b23 |
|
06-Apr-2022 |
Leon Romanovsky <leon@kernel.org> |
net/mlx5: Remove not-used IDA field from IPsec struct The IDA halloc variable is not needed and can be removed. Link: https://lore.kernel.org/r/cbecfbe01621e1b8bde746aa7f6c08497e656a25.1649232994.git.leonro@nvidia.com Reviewed-by: Raed Salem <raeds@nvidia.com> Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
|
#
71ab5807 |
|
11-Jan-2022 |
Leon Romanovsky <leon@kernel.org> |
net/mlx5: Delete useless module.h include There is no need in include of module.h in the following files. Signed-off-by: Leon Romanovsky <leonro@nvidia.com> Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
|
#
5589b8f1 |
|
19-Jun-2020 |
Raed Salem <raeds@nvidia.com> |
net/mlx5e: Add IPsec support to uplink representor Add the xfrm xdo and ipsec_init/cleanup to uplink representor to support IPsec in SRIOV switchdev mode. Signed-off-by: Raed Salem <raeds@nvidia.com> Signed-off-by: Huy Nguyen <huyn@nvidia.com> Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
|
#
8ad893e5 |
|
28-May-2021 |
Huy Nguyen <huyn@nvidia.com> |
net/mlx5e: Remove dependency in IPsec initialization flows Currently, IPsec feature is disabled because mlx5e_build_nic_netdev is required to be called after mlx5e_ipsec_init. This requirement is invalid as mlx5e_build_nic_netdev and mlx5e_ipsec_init initialize independent resources. Remove ipsec pointer check in mlx5e_build_nic_netdev so that the two functions can be called at any order. Fixes: 547eede070eb ("net/mlx5e: IPSec, Innova IPSec offload infrastructure") Signed-off-by: Huy Nguyen <huyn@nvidia.com> Reviewed-by: Raed Salem <raeds@nvidia.com> Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
|
#
5be01904 |
|
16-Jun-2020 |
Raed Salem <raeds@mellanox.com> |
net/mlx5e: IPsec: Add Connect-X IPsec Tx data path offload In the TX data path, spot packets with xfrm stack IPsec offload indication. Fill Software-Parser segment in TX descriptor so that the hardware may parse the ESP protocol, and perform TX checksum offload on the inner payload. Support GSO, by providing the trailer data and ICV placeholder so HW can fill it post encryption operation. Padding alignment cannot be performed in HW (ConnectX-6Dx) due to a bug. Software can overcome this limitation by adding NETIF_F_HW_ESP to the gso_partial_features field in netdev so the packets being aligned by the stack. l4_inner_checksum cannot be offloaded by HW for IPsec tunnel type packet. Note that for GSO SKBs, the stack does not include an ESP trailer, unlike the non-GSO case. Below is the iperf3 performance report on two server of 24 cores Intel(R) Xeon(R) CPU E5-2620 v3 @ 2.40GHz with ConnectX6-DX. All the bandwidth test uses iperf3 TCP traffic with packet size 128KB. Each tunnel uses one iperf3 stream with one thread (option -P1). TX crypto offload shows improvements on both bandwidth and CPU utilization. ---------------------------------------------------------------------- Mode | Num tunnel | BW | Send CPU util | Recv CPU util | | (Gbps) | (Average %) | (Average %) ---------------------------------------------------------------------- Cryto offload | | | | (RX only) | 1 | 4.7 | 4.2 | 3.5 ---------------------------------------------------------------------- Cryto offload | | | | (RX only) | 24 | 15.6 | 20 | 10 ---------------------------------------------------------------------- Non-offload | 1 | 4.6 | 4 | 5 ---------------------------------------------------------------------- Non-offload | 24 | 11.9 | 16 | 12 ---------------------------------------------------------------------- Cryto offload | | | | (TX & RX) | 1 | 11.9 | 2.1 | 5.9 ---------------------------------------------------------------------- Cryto offload | | | | (TX & RX) | 24 | 38 | 9.5 | 27.5 ---------------------------------------------------------------------- Cryto offload | | | | (TX only) | 1 | 4.7 | 0.7 | 5 ---------------------------------------------------------------------- Cryto offload | | | | (TX only) | 24 | 14.5 | 6 | 20 Regression tests show no degradation on non-ipsec and non-offload-ipsec traffics. The packet rate test uses pktgen UDP to transmit on single CPU, the instructions and cycles are measured on the transmit CPU. before: ---------------------------------------------------------------------- Non-offload | 1 | 4.7 | 4.2 | 5.1 ---------------------------------------------------------------------- Non-offload | 24 | 11.2 | 14 | 15 ---------------------------------------------------------------------- Non-ipsec | 1 | 28 | 4 | 5.7 ---------------------------------------------------------------------- Non-ipsec | 24 | 68.3 | 17.8 | 39.7 ---------------------------------------------------------------------- Non-ipsec packet rate(BURST=1000 BC=5 NCPUS=1 SIZE=60) 13.56Mpps, 456 instructions/pkt, 191 cycles/pkt after: ---------------------------------------------------------------------- Non-offload | 1 | 4.69 | 4.2 | 5 ---------------------------------------------------------------------- Non-offload | 24 | 11.9 | 13.5 | 15.1 ---------------------------------------------------------------------- Non-ipsec | 1 | 29 | 3.2 | 5.5 ---------------------------------------------------------------------- Non-ipsec | 24 | 68.2 | 18.5 | 39.8 ---------------------------------------------------------------------- Non-ipsec packet rate: 13.56Mpps, 472 instructions/pkt, 191 cycles/pkt Signed-off-by: Raed Salem <raeds@mellanox.com> Signed-off-by: Huy Nguyen <huyn@mellanox.com> Reviewed-by: Maxim Mikityanskiy <maximmi@mellanox.com> Reviewed-by: Tariq Toukan <tariqt@nvidia.com> Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
|
#
5e466345 |
|
05-Jun-2020 |
Huy Nguyen <huyn@mellanox.com> |
net/mlx5e: IPsec: Add IPsec steering in local NIC RX Introduce decrypt FT, the RX error FT and the default rules. The IPsec RX decrypt flow table is pointed by the TTC (Traffic Type Classifier) ESP steering rules. The decrypt flow table has two flow groups. The first flow group keeps the decrypt steering rule programmed via the "ip xfrm s" interface. The second flow group has a default rule to forward all non-offloaded ESP packet to the TTC ESP default RSS TIR. The RX error flow table is the destination of the decrypt steering rules in the IPsec RX decrypt flow table. It has a fixed rule with single copy action that copies ipsec_syndrome to metadata_regB[0:6]. The IPsec syndrome is used to filter out non-ipsec packet and to return the IPsec crypto offload status in Rx flow. The destination of RX error flow table is the TTC ESP default RSS TIR. All the FTs (decrypt FT and error FT) are created only when IPsec SAs are added. If there is no IPsec SAs, the FTs are removed. Signed-off-by: Huy Nguyen <huyn@mellanox.com> Reviewed-by: Boris Pismenny <borisp@mellanox.com> Reviewed-by: Tariq Toukan <tariqt@mellanox.com> Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
|
#
2d64663c |
|
29-Jan-2020 |
Raed Salem <raeds@mellanox.com> |
net/mlx5: IPsec: Add HW crypto offload support This patch adds support for Connect-X IPsec crypto offload by implementing the IPsec acceleration layer needed routines, which delegates IPsec offloads to Connect-X routines. In Connect-X IPsec, a Security Association (SA) is added or deleted via allocating a HW context of an encryption/decryption key and a HW context of a matching SA (IPsec object). The Security Policy (SP) is added or deleted by creating matching Tx/Rx steering rules whith an action of encryption/decryption respectively, executed using the previously allocated SA HW context. When new xfrm state (SA) is added: - Use a separate crypto key HW context. - Create a separate IPsec context in HW to inlcude the SA properties: - aes-gcm salt. - ICV properties (ICV length, implicit IV). - on supported devices also update ESN. - associate the allocated crypto key with this IPsec context. Introduce a new compilation flag MLX5_IPSEC for it. Downstream patches will implement the Rx,Tx steering and will add the update esn. Signed-off-by: Raed Salem <raeds@mellanox.com> Signed-off-by: Huy Nguyen <huyn@mellanox.com> Reviewed-by: Tariq Toukan <tariqt@mellanox.com> Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
|
#
9a6ad1ad |
|
18-Nov-2019 |
Raed Salem <raeds@mellanox.com> |
net/mlx5: Accel, Add core IPsec support for the Connect-X family This to set the base for downstream patches to support the new IPsec implementation of the Connect-X family. Following modifications made: - Remove accel layer dependency from MLX5_FPGA_IPSEC. - Introduce accel_ipsec_ops, each IPsec device will have to support these ops. Signed-off-by: Raed Salem <raeds@mellanox.com> Reviewed-by: Tariq Toukan <tariqt@mellanox.com> Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
|
#
bdfd2d1f |
|
23-Jun-2020 |
Jarod Wilson <jarod@redhat.com> |
bonding/xfrm: use real_dev instead of slave_dev Rather than requiring every hw crypto capable NIC driver to do a check for slave_dev being set, set real_dev in the xfrm layer and xso init time, and then override it in the bonding driver as needed. Then NIC drivers can always use real_dev, and at the same time, we eliminate the use of a variable name that probably shouldn't have been used in the first place, particularly given recent current events. CC: Boris Pismenny <borisp@mellanox.com> CC: Saeed Mahameed <saeedm@mellanox.com> CC: Leon Romanovsky <leon@kernel.org> CC: Jay Vosburgh <j.vosburgh@gmail.com> CC: Veaceslav Falico <vfalico@gmail.com> CC: Andy Gospodarek <andy@greyhouse.net> CC: "David S. Miller" <davem@davemloft.net> CC: Jeff Kirsher <jeffrey.t.kirsher@intel.com> CC: Jakub Kicinski <kuba@kernel.org> CC: Steffen Klassert <steffen.klassert@secunet.com> CC: Herbert Xu <herbert@gondor.apana.org.au> CC: netdev@vger.kernel.org Suggested-by: Saeed Mahameed <saeedm@mellanox.com> Signed-off-by: Jarod Wilson <jarod@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
|
#
bf3a058d |
|
19-Jun-2020 |
Jarod Wilson <jarod@redhat.com> |
mlx5: become aware of when running as a bonding slave I've been unable to get my hands on suitable supported hardware to date, but I believe this ought to be all that is needed to enable the mlx5 driver to also work with bonding active-backup crypto offload passthru. CC: Boris Pismenny <borisp@mellanox.com> CC: Saeed Mahameed <saeedm@mellanox.com> CC: Leon Romanovsky <leon@kernel.org> CC: Jay Vosburgh <j.vosburgh@gmail.com> CC: Veaceslav Falico <vfalico@gmail.com> CC: Andy Gospodarek <andy@greyhouse.net> CC: "David S. Miller" <davem@davemloft.net> CC: Jeff Kirsher <jeffrey.t.kirsher@intel.com> CC: Jakub Kicinski <kuba@kernel.org> CC: Steffen Klassert <steffen.klassert@secunet.com> CC: Herbert Xu <herbert@gondor.apana.org.au> CC: netdev@vger.kernel.org Signed-off-by: Jarod Wilson <jarod@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
|
#
7dfee4b1 |
|
23-Oct-2019 |
Raed Salem <raeds@mellanox.com> |
net/mlx5: IPsec, Refactor SA handle creation and destruction Currently the SA handle is created and managed as part of the common code for different IPsec supporting HW, this handle is passed to HW to be used on Rx to identify the SA handle that was used to return the xfrm state to stack. The above implementation pose a limitation on managing this handle. Refactor by moving management of this field to the specific HW code. Downstream patches will introduce the Connect-X support for IPsec that will use this handle differently than current implementation. Signed-off-by: Raed Salem <raeds@mellanox.com> Reviewed-by: Boris Pismenny <borisp@mellanox.com> Reviewed-by: Huy Nguyen <huyn@mellanox.com> Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
|
#
1dbd51d0 |
|
10-Dec-2019 |
Raed Salem <raeds@mellanox.com> |
net/mlx5: Refactor mlx5_accel_esp_create_hw_context parameter list Currently the FPGA IPsec is the only hw implementation of the IPsec acceleration api, and so the mlx5_accel_esp_create_hw_context was wrongly made to suit this HW api, among other in its parameter list and some of its parameter endianness. This implementation might not be suitable for different HW. Refactor by group and pass all function arguments of mlx5_accel_esp_create_hw_context in common mlx5_accel_esp_xfrm_attrs struct field of mlx5_accel_esp_xfrm struct and correct the endianness according to the HW being called. Signed-off-by: Raed Salem <raeds@mellanox.com> Reviewed-by: Boris Pismenny <borisp@mellanox.com> Reviewed-by: Huy Nguyen <huyn@mellanox.com> Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
|
#
0120936a |
|
11-Feb-2020 |
Christophe JAILLET <christophe.jaillet@wanadoo.fr> |
net/mlx5: Remove a useless 'drain_workqueue()' call in 'mlx5e_ipsec_cleanup()' 'destroy_workqueue()' already calls 'drain_workqueue()', there is no need to call it explicitly. Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr> Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
|
#
cb010083 |
|
18-Jan-2018 |
Aviad Yehezkel <aviadye@mellanox.com> |
net/mlx5: IPSec, Add support for ESN Currently ESN is not supported with IPSec device offload. This patch adds ESN support to IPsec device offload. Implementing new xfrm device operation to synchronize offloading device ESN with xfrm received SN. New QP command to update SA state at the following: ESN 1 ESN 2 ESN 3 |-----------*-----------|-----------*-----------|-----------* ^ ^ ^ ^ ^ ^ ^ - marks where QP command invoked to update the SA ESN state machine. | - marks the start of the ESN scope (0-2^32-1). At this point move SA ESN overlap bit to zero and increment ESN. * - marks the middle of the ESN scope (2^31). At this point move SA ESN overlap bit to one. Signed-off-by: Aviad Yehezkel <aviadye@mellanox.com> Signed-off-by: Yossef Efraim <yossefe@mellanox.com> Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
|
#
75ef3f55 |
|
18-Jan-2018 |
Aviad Yehezkel <aviadye@mellanox.com> |
net/mlx5e: Added common function for to_ipsec_sa_entry New function for getting driver internal sa entry from xfrm state. All checks are done in one function. Signed-off-by: Aviad Yehezkel <aviadye@mellanox.com> Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
|
#
d6c4f029 |
|
18-Jan-2018 |
Aviad Yehezkel <aviadye@mellanox.com> |
net/mlx5: Refactor accel IPSec code The current code has one layer that executed FPGA commands and the Ethernet part directly used this code. Since downstream patches introduces support for IPSec in mlx5_ib, we need to provide some abstractions. This patch refactors the accel code into one layer that creates a software IPSec transformation and another one which creates the actual hardware context. The internal command implementation is now hidden in the FPGA core layer. The code also adds the ability to share FPGA hardware contexts. If two contexts are the same, only a reference count is taken. Signed-off-by: Aviad Yehezkel <aviadye@mellanox.com> Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
|
#
1d2005e2 |
|
29-Jan-2018 |
Aviad Yehezkel <aviadye@mellanox.com> |
net/mlx5: Export ipsec capabilities We will need that for ipsec verbs. Signed-off-by: Aviad Yehezkel <aviadye@mellanox.com> Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
|
#
65802f48 |
|
16-Jan-2018 |
Aviad Yehezkel <aviadye@mellanox.com> |
net/mlx5: IPSec, Add command V2 support This patch adds V2 command support. New fpga devices support extended features (udp encap, esn etc...), this features require new hardware sadb format therefore we have a new version of commands to manipulate it. Signed-off-by: Yossef Efraim <yossefe@mellanox.com> Signed-off-by: Aviad Yehezkel <aviadye@mellanox.com> Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
|
#
788a8210 |
|
22-Oct-2017 |
Yossi Kuperman <yossiku@mellanox.com> |
net/mlx5e: IPSec, Add support for ESP trailer removal by hardware Current hardware decrypts and authenticates incoming ESP packets. Subsequently, the software extracts the nexthdr field, truncates the trailer and adjusts csum accordingly. With this patch and a capable device, the trailer is being removed by the hardware and the nexthdr field is conveyed via PET. This way we avoid both the need to access the trailer (cache miss) and to compute its relative checksum, which significantly improve the performance. Experiment shows that trailer removal improves the performance by 2Gbps, (netperf). Both forwarding and host-to-host configurations. Signed-off-by: Yossi Kuperman <yossiku@mellanox.com> Signed-off-by: Aviad Yehezkel <aviadye@mellanox.com> Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
|
#
1c9a10eb |
|
29-Jan-2018 |
Aviad Yehezkel <aviadye@mellanox.com> |
net/mlx5e: Removed not need synchronize_rcu This is already done by xfrm layer between state_dev_del callback to state_dev_free callback. Signed-off-by: Aviad Yehezkel <aviadye@mellanox.com> Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
|
#
dc7debec |
|
28-Jan-2018 |
Aviad Yehezkel <aviadye@mellanox.com> |
net/mlx5e: Fixed sleeping inside atomic context We can't allocate with GFP_KERNEL inside spinlock. Actually ida_simple doesn't require spinlock so remove it. Fixes: 547eede070eb ("net/mlx5e: IPSec, Innova IPSec offload infrastructure") Signed-off-by: Aviad Yehezkel <aviadye@mellanox.com> Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
|
#
2ac9cfe7 |
|
18-Apr-2017 |
Ilan Tayari <ilant@mellanox.com> |
net/mlx5e: IPSec, Add Innova IPSec offload TX data path In the TX data path, prepend a special metadata ethertype which instructs the hardware to perform cryptography. In addition, fill Software-Parser segment in TX descriptor so that the hardware may parse the ESP protocol, and perform TX checksum offload on the inner payload. Support GSO, by providing the inverse of gso_size in the metadata. This allows the FPGA to update the ESP header (seqno and seqiv) on the resulting packets, by calculating the packet number within the GSO back from the TCP sequence number. Note that for GSO SKBs, the stack does not include an ESP trailer, unlike the non-GSO case. Signed-off-by: Ilan Tayari <ilant@mellanox.com> Signed-off-by: Yossi Kuperman <yossiku@mellanox.com> Signed-off-by: Yevgeny Kliteynik <kliteyn@mellanox.com> Signed-off-by: Boris Pismenny <borisp@mellanox.com> Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
|
#
899a59d3 |
|
19-Jun-2017 |
Ilan Tayari <ilant@mellanox.com> |
net/mlx5e: IPSec, Add Innova IPSec offload RX data path In RX data path, the hardware prepends a special metadata ethertype which indicates that the packet underwent decryption, and the result of the authentication check. Communicate this to the stack in skb->sp. Make wqe_size large enough to account for the injected metadata. Support only Linked-list RQ type. IPSec offload RX packets may have useful CHECKSUM_COMPLETE information, which the stack may not be able to use yet. Signed-off-by: Ilan Tayari <ilant@mellanox.com> Signed-off-by: Yossi Kuperman <yossiku@mellanox.com> Signed-off-by: Yevgeny Kliteynik <kliteyn@mellanox.com> Signed-off-by: Boris Pismenny <borisp@mellanox.com> Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
|
#
547eede0 |
|
18-Apr-2017 |
Ilan Tayari <ilant@mellanox.com> |
net/mlx5e: IPSec, Innova IPSec offload infrastructure Add Innova IPSec ESP crypto offload configuration paths. Detect Innova IPSec device and set the NETIF_F_HW_ESP flag. Configure Security Associations using the API introduced in a previous patch. Add Software-parser hardware descriptor layout Software-Parser (swp) is a hardware feature in ConnectX which allows the host software to specify protocol header offsets in the TX path, thus overriding the hardware parser. This is useful for protocols that the ASIC may not be able to parse on its own. Note that due to inline metadata, XDP is not supported in Innova IPSec. Signed-off-by: Ilan Tayari <ilant@mellanox.com> Signed-off-by: Yossi Kuperman <yossiku@mellanox.com> Signed-off-by: Yevgeny Kliteynik <kliteyn@mellanox.com> Signed-off-by: Boris Pismenny <borisp@mellanox.com> Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
|