From owner-svn-src-head@freebsd.org Fri Dec 6 15:36:33 2019 Return-Path: Delivered-To: svn-src-head@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id BDBEC1CEC4C; Fri, 6 Dec 2019 15:36:33 +0000 (UTC) (envelope-from hselasky@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 47TxX158QXz4XcD; Fri, 6 Dec 2019 15:36:33 +0000 (UTC) (envelope-from hselasky@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 8F8AE3424; Fri, 6 Dec 2019 15:36:33 +0000 (UTC) (envelope-from hselasky@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id xB6FaXY0006552; Fri, 6 Dec 2019 15:36:33 GMT (envelope-from hselasky@FreeBSD.org) Received: (from hselasky@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id xB6FaWFg006545; Fri, 6 Dec 2019 15:36:32 GMT (envelope-from hselasky@FreeBSD.org) Message-Id: <201912061536.xB6FaWFg006545@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: hselasky set sender to hselasky@FreeBSD.org using -f From: Hans Petter Selasky Date: Fri, 6 Dec 2019 15:36:32 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r355446 - in head/sys: conf dev/mlx5 dev/mlx5/mlx5_en modules/mlx5en X-SVN-Group: head X-SVN-Commit-Author: hselasky X-SVN-Commit-Paths: in head/sys: conf dev/mlx5 dev/mlx5/mlx5_en modules/mlx5en X-SVN-Commit-Revision: 355446 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Dec 2019 15:36:33 -0000 Author: hselasky Date: Fri Dec 6 15:36:32 2019 New Revision: 355446 URL: https://svnweb.freebsd.org/changeset/base/355446 Log: Implement hardware TLS via send tags for mlx5en(4), which is supported by ConnectX-6 DX. Currently TLS v1.2 and v1.3 with AES 128/256 crypto over TCP/IP (v4 and v6) is supported. A per PCI device UMA zone is used to manage the memory of the send tags. To optimize performance some crypto contexts may be cached by the UMA zone, until the UMA zone finishes the memory of the given send tag. An asynchronous task is used manage setup of the send tags towards the firmware. Most importantly setting the AES 128/256 bit pre-shared keys for the crypto context. Updating the state of the AES crypto engine and encrypting data, is all done in the fast path. Each send tag tracks the TCP sequence number in order to detect non-contiguous blocks of data, which may require a dump of prior unencrypted data, to restore the crypto state prior to wire transmission. Statistics counters have been added to count the amount of TLS data transmitted in total, and the amount of TLS data which has been dumped prior to transmission. When non-contiguous TCP sequence numbers are detected, the software needs to dump the beginning of the current TLS record up until the point of retransmission. All TLS counters utilize the counter(9) API. In order to enable hardware TLS offload the following sysctls must be set: kern.ipc.mb_use_ext_pgs=1 kern.ipc.tls.ifnet.permitted=1 kern.ipc.tls.enable=1 Sponsored by: Mellanox Technologies Added: head/sys/dev/mlx5/mlx5_en/en_hw_tls.h (contents, props changed) head/sys/dev/mlx5/mlx5_en/mlx5_en_hw_tls.c (contents, props changed) Modified: head/sys/conf/files head/sys/dev/mlx5/device.h head/sys/dev/mlx5/mlx5_en/en.h head/sys/dev/mlx5/mlx5_en/en_rl.h head/sys/dev/mlx5/mlx5_en/mlx5_en_ethtool.c head/sys/dev/mlx5/mlx5_en/mlx5_en_main.c head/sys/dev/mlx5/mlx5_en/mlx5_en_rl.c head/sys/dev/mlx5/mlx5_en/mlx5_en_tx.c head/sys/modules/mlx5en/Makefile Modified: head/sys/conf/files ============================================================================== --- head/sys/conf/files Fri Dec 6 15:01:36 2019 (r355445) +++ head/sys/conf/files Fri Dec 6 15:36:32 2019 (r355446) @@ -4781,6 +4781,8 @@ dev/mlx5/mlx5_en/mlx5_en_tx.c optional mlx5en pci in compile-with "${OFED_C}" dev/mlx5/mlx5_en/mlx5_en_flow_table.c optional mlx5en pci inet inet6 \ compile-with "${OFED_C}" +dev/mlx5/mlx5_en/mlx5_en_hw_tls.c optional mlx5en pci inet inet6 \ + compile-with "${OFED_C}" dev/mlx5/mlx5_en/mlx5_en_rx.c optional mlx5en pci inet inet6 \ compile-with "${OFED_C}" dev/mlx5/mlx5_en/mlx5_en_rl.c optional mlx5en pci inet inet6 \ Modified: head/sys/dev/mlx5/device.h ============================================================================== --- head/sys/dev/mlx5/device.h Fri Dec 6 15:01:36 2019 (r355445) +++ head/sys/dev/mlx5/device.h Fri Dec 6 15:36:32 2019 (r355446) @@ -361,6 +361,7 @@ enum { MLX5_OPCODE_ATOMIC_MASKED_FA = 0x15, MLX5_OPCODE_BIND_MW = 0x18, MLX5_OPCODE_CONFIG_CMD = 0x1f, + MLX5_OPCODE_DUMP = 0x23, MLX5_RECV_OPCODE_RDMA_WRITE_IMM = 0x00, MLX5_RECV_OPCODE_SEND = 0x01, Modified: head/sys/dev/mlx5/mlx5_en/en.h ============================================================================== --- head/sys/dev/mlx5/mlx5_en/en.h Fri Dec 6 15:01:36 2019 (r355445) +++ head/sys/dev/mlx5/mlx5_en/en.h Fri Dec 6 15:36:32 2019 (r355446) @@ -53,6 +53,7 @@ #include #include #include +#include #include "opt_rss.h" @@ -167,6 +168,7 @@ typedef void (mlx5e_cq_comp_t)(struct mlx5_core_cq *); #define MLX5E_STATS_COUNT(a, ...) a #define MLX5E_STATS_VAR(a, b, c, ...) b c; +#define MLX5E_STATS_COUNTER(a, b, c, ...) counter_##b##_t c; #define MLX5E_STATS_DESC(a, b, c, d, e, ...) d, e, #define MLX5E_VPORT_STATS(m) \ @@ -724,6 +726,7 @@ struct mlx5e_params_ethtool { u8 fec_avail_10x_25x[MLX5E_MAX_FEC_10X_25X]; u16 fec_avail_50x[MLX5E_MAX_FEC_50X]; u32 fec_mode_active; + u32 hw_mtu_msb; }; struct mlx5e_cq { @@ -775,6 +778,7 @@ struct mlx5e_rq { struct mlx5e_sq_mbuf { bus_dmamap_t dma_map; struct mbuf *mbuf; + volatile s32 *p_refcount; /* in use refcount, if any */ u32 num_bytes; u32 num_wqebbs; }; @@ -959,9 +963,14 @@ struct mlx5e_flow_tables { struct mlx5e_flow_table inner_rss; }; -#ifdef RATELIMIT +struct mlx5e_xmit_args { + volatile s32 *pref; + u32 tisn; + u16 ihs; +}; + #include "en_rl.h" -#endif +#include "en_hw_tls.h" #define MLX5E_TSTMP_PREC 10 @@ -1035,10 +1044,11 @@ struct mlx5e_priv { int media_active_last; struct callout watchdog; -#ifdef RATELIMIT + struct mlx5e_rl_priv_data rl; -#endif + struct mlx5e_tls tls; + struct callout tstmp_clbr; int clbr_done; int clbr_curr; @@ -1092,6 +1102,8 @@ struct mlx5e_eeprom { #define MLX5E_FLD_MAX(typ, fld) ((1ULL << __mlx5_bit_sz(typ, fld)) - 1ULL) +bool mlx5e_do_send_cqe(struct mlx5e_sq *); +int mlx5e_get_full_header_size(struct mbuf *, struct tcphdr **); int mlx5e_xmit(struct ifnet *, struct mbuf *); int mlx5e_open_locked(struct ifnet *); @@ -1163,7 +1175,12 @@ void mlx5e_create_ethtool(struct mlx5e_priv *); void mlx5e_create_stats(struct sysctl_ctx_list *, struct sysctl_oid_list *, const char *, const char **, unsigned, u64 *); +void mlx5e_create_counter_stats(struct sysctl_ctx_list *, + struct sysctl_oid_list *, const char *, + const char **, unsigned, counter_u64_t *); void mlx5e_send_nop(struct mlx5e_sq *, u32); +int mlx5e_sq_dump_xmit(struct mlx5e_sq *, struct mlx5e_xmit_args *, struct mbuf **); +int mlx5e_sq_xmit(struct mlx5e_sq *, struct mbuf **); void mlx5e_sq_cev_timeout(void *); int mlx5e_refresh_channel_params(struct mlx5e_priv *); int mlx5e_open_cq(struct mlx5e_priv *, struct mlx5e_cq_param *, @@ -1182,5 +1199,10 @@ void mlx5e_update_sq_inline(struct mlx5e_sq *sq); void mlx5e_refresh_sq_inline(struct mlx5e_priv *priv); int mlx5e_update_buf_lossy(struct mlx5e_priv *priv); int mlx5e_fec_update(struct mlx5e_priv *priv); + +if_snd_tag_alloc_t mlx5e_ul_snd_tag_alloc; +if_snd_tag_modify_t mlx5e_ul_snd_tag_modify; +if_snd_tag_query_t mlx5e_ul_snd_tag_query; +if_snd_tag_free_t mlx5e_ul_snd_tag_free; #endif /* _MLX5_EN_H_ */ Added: head/sys/dev/mlx5/mlx5_en/en_hw_tls.h ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sys/dev/mlx5/mlx5_en/en_hw_tls.h Fri Dec 6 15:36:32 2019 (r355446) @@ -0,0 +1,104 @@ +/*- + * Copyright (c) 2019 Mellanox Technologies. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY AUTHOR AND CONTRIBUTORS `AS IS' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD$ + */ + +#ifndef _MLX5_TLS_H_ +#define _MLX5_TLS_H_ + +#include + +#define MLX5E_TLS_TAG_LOCK(tag) mtx_lock(&(tag)->mtx) +#define MLX5E_TLS_TAG_UNLOCK(tag) mtx_unlock(&(tag)->mtx) + +#define MLX5E_TLS_STAT_INC(tag, field, num) \ + counter_u64_add((tag)->tls->stats.field, num) + +enum { + MLX5E_TLS_LOOP = 0, + MLX5E_TLS_FAILURE = 1, + MLX5E_TLS_DEFERRED = 2, + MLX5E_TLS_CONTINUE = 3, +}; + +struct mlx5e_tls_tag { + struct mlx5e_snd_tag tag; + STAILQ_ENTRY(mlx5e_tls_tag) entry; + volatile s32 refs; /* number of pending mbufs */ + uint32_t tisn; /* HW TIS context number */ + uint32_t dek_index; /* HW TLS context number */ + struct mlx5e_tls *tls; + struct m_snd_tag *rl_tag; + struct mtx mtx; + uint32_t expected_seq; /* expected TCP sequence number */ + uint32_t state; /* see MLX5E_TLS_ST_XXX */ +#define MLX5E_TLS_ST_INIT 0 +#define MLX5E_TLS_ST_SETUP 1 +#define MLX5E_TLS_ST_TXRDY 2 +#define MLX5E_TLS_ST_FREED 3 + struct work_struct work; + + uint32_t dek_index_ok:1; + + /* parameters needed */ + uint8_t crypto_params[128] __aligned(4); +} __aligned(MLX5E_CACHELINE_SIZE); + +#define MLX5E_TLS_STATS(m) \ + m(+1, u64, tx_packets, "tx_packets", "Transmitted packets") \ + m(+1, u64, tx_bytes, "tx_bytes", "Transmitted bytes") \ + m(+1, u64, tx_packets_ooo, "tx_packets_ooo", "Transmitted packets out of order") \ + m(+1, u64, tx_bytes_ooo, "tx_bytes_ooo", "Transmitted bytes out of order") \ + m(+1, u64, tx_error, "tx_error", "Transmitted packets with error") + +#define MLX5E_TLS_STATS_NUM (0 MLX5E_TLS_STATS(MLX5E_STATS_COUNT)) + +struct mlx5e_tls_stats { + struct sysctl_ctx_list ctx; + counter_u64_t arg[0]; + MLX5E_TLS_STATS(MLX5E_STATS_COUNTER) +}; + +struct mlx5e_tls { + struct sysctl_ctx_list ctx; + struct mlx5e_tls_stats stats; + struct workqueue_struct *wq; + uma_zone_t zone; + uint32_t max_resources; /* max number of resources */ + volatile uint32_t num_resources; /* current number of resources */ + int init; /* set when ready */ + char zname[32]; +}; + +int mlx5e_tls_init(struct mlx5e_priv *); +void mlx5e_tls_cleanup(struct mlx5e_priv *); +int mlx5e_sq_tls_xmit(struct mlx5e_sq *, struct mlx5e_xmit_args *, struct mbuf **); + +if_snd_tag_alloc_t mlx5e_tls_snd_tag_alloc; +if_snd_tag_modify_t mlx5e_tls_snd_tag_modify; +if_snd_tag_query_t mlx5e_tls_snd_tag_query; +if_snd_tag_free_t mlx5e_tls_snd_tag_free; + +#endif /* _MLX5_TLS_H_ */ Modified: head/sys/dev/mlx5/mlx5_en/en_rl.h ============================================================================== --- head/sys/dev/mlx5/mlx5_en/en_rl.h Fri Dec 6 15:01:36 2019 (r355445) +++ head/sys/dev/mlx5/mlx5_en/en_rl.h Fri Dec 6 15:36:32 2019 (r355446) @@ -167,6 +167,7 @@ struct mlx5e_rl_priv_data { int mlx5e_rl_init(struct mlx5e_priv *priv); void mlx5e_rl_cleanup(struct mlx5e_priv *priv); void mlx5e_rl_refresh_sq_inline(struct mlx5e_rl_priv_data *rl); + if_snd_tag_alloc_t mlx5e_rl_snd_tag_alloc; if_snd_tag_modify_t mlx5e_rl_snd_tag_modify; if_snd_tag_query_t mlx5e_rl_snd_tag_query; Modified: head/sys/dev/mlx5/mlx5_en/mlx5_en_ethtool.c ============================================================================== --- head/sys/dev/mlx5/mlx5_en/mlx5_en_ethtool.c Fri Dec 6 15:01:36 2019 (r355445) +++ head/sys/dev/mlx5/mlx5_en/mlx5_en_ethtool.c Fri Dec 6 15:36:32 2019 (r355446) @@ -48,6 +48,26 @@ mlx5e_create_stats(struct sysctl_ctx_list *ctx, } } +void +mlx5e_create_counter_stats(struct sysctl_ctx_list *ctx, + struct sysctl_oid_list *parent, const char *buffer, + const char **desc, unsigned num, counter_u64_t *arg) +{ + struct sysctl_oid *node; + unsigned x; + + sysctl_ctx_init(ctx); + + node = SYSCTL_ADD_NODE(ctx, parent, OID_AUTO, + buffer, CTLFLAG_RD, NULL, "Statistics"); + if (node == NULL) + return; + for (x = 0; x != num; x++) { + SYSCTL_ADD_COUNTER_U64(ctx, SYSCTL_CHILDREN(node), OID_AUTO, + desc[2 * x], CTLFLAG_RD, arg + x, desc[2 * x + 1]); + } +} + static void mlx5e_ethtool_sync_tx_completion_fact(struct mlx5e_priv *priv) { Added: head/sys/dev/mlx5/mlx5_en/mlx5_en_hw_tls.c ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sys/dev/mlx5/mlx5_en/mlx5_en_hw_tls.c Fri Dec 6 15:36:32 2019 (r355446) @@ -0,0 +1,834 @@ +/*- + * Copyright (c) 2019 Mellanox Technologies. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY AUTHOR AND CONTRIBUTORS `AS IS' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD$ + */ + +#include "opt_kern_tls.h" + +#include "en.h" + +#include + +#include +#include +#include + +#ifdef KERN_TLS + +MALLOC_DEFINE(M_MLX5E_TLS, "MLX5E_TLS", "MLX5 ethernet HW TLS"); + +/* software TLS context */ +struct mlx5_ifc_sw_tls_cntx_bits { + struct mlx5_ifc_tls_static_params_bits param; + struct mlx5_ifc_tls_progress_params_bits progress; + struct { + uint8_t key_data[8][0x20]; + uint8_t key_len[0x20]; + } key; +}; + +CTASSERT(MLX5_ST_SZ_BYTES(sw_tls_cntx) <= sizeof(((struct mlx5e_tls_tag *)0)->crypto_params)); +CTASSERT(MLX5_ST_SZ_BYTES(mkc) == sizeof(((struct mlx5e_tx_umr_wqe *)0)->mkc)); + +static const char *mlx5e_tls_stats_desc[] = { + MLX5E_TLS_STATS(MLX5E_STATS_DESC) +}; + +static void mlx5e_tls_work(struct work_struct *); + +static int +mlx5e_tls_tag_zinit(void *mem, int size, int flags) +{ + struct mlx5e_tls_tag *ptag = mem; + + MPASS(size == sizeof(*ptag)); + + memset(ptag, 0, sizeof(*ptag)); + mtx_init(&ptag->mtx, "mlx5-tls-tag-mtx", NULL, MTX_DEF); + INIT_WORK(&ptag->work, mlx5e_tls_work); + + return (0); +} + +static void +mlx5e_tls_tag_zfini(void *mem, int size) +{ + struct mlx5e_tls_tag *ptag = mem; + struct mlx5e_priv *priv; + struct mlx5e_tls *ptls; + + ptls = ptag->tls; + priv = container_of(ptls, struct mlx5e_priv, tls); + + flush_work(&ptag->work); + + if (ptag->tisn != 0) { + mlx5_tls_close_tis(priv->mdev, ptag->tisn); + atomic_add_32(&ptls->num_resources, -1U); + } + + mtx_destroy(&ptag->mtx); +} + +static void +mlx5e_tls_tag_zfree(struct mlx5e_tls_tag *ptag) +{ + + /* reset some variables */ + ptag->state = MLX5E_TLS_ST_INIT; + ptag->dek_index = 0; + ptag->dek_index_ok = 0; + + /* avoid leaking keys */ + memset(ptag->crypto_params, 0, sizeof(ptag->crypto_params)); + + /* update number of TIS contexts */ + if (ptag->tisn == 0) + atomic_add_32(&ptag->tls->num_resources, -1U); + + /* return tag to UMA */ + uma_zfree(ptag->tls->zone, ptag); +} + +int +mlx5e_tls_init(struct mlx5e_priv *priv) +{ + struct mlx5e_tls *ptls = &priv->tls; + struct sysctl_oid *node; + uint32_t x; + + if (MLX5_CAP_GEN(priv->mdev, tls) == 0) + return (0); + + ptls->wq = create_singlethread_workqueue("mlx5-tls-wq"); + if (ptls->wq == NULL) + return (ENOMEM); + + sysctl_ctx_init(&ptls->ctx); + + snprintf(ptls->zname, sizeof(ptls->zname), + "mlx5_%u_tls", device_get_unit(priv->mdev->pdev->dev.bsddev)); + + ptls->zone = uma_zcreate(ptls->zname, sizeof(struct mlx5e_tls_tag), + NULL, NULL, mlx5e_tls_tag_zinit, mlx5e_tls_tag_zfini, UMA_ALIGN_CACHE, 0); + + ptls->max_resources = 1U << MLX5_CAP_GEN(priv->mdev, log_max_dek); + + for (x = 0; x != MLX5E_TLS_STATS_NUM; x++) + ptls->stats.arg[x] = counter_u64_alloc(M_WAITOK); + + ptls->init = 1; + + node = SYSCTL_ADD_NODE(&priv->sysctl_ctx, + SYSCTL_CHILDREN(priv->sysctl_ifnet), OID_AUTO, + "tls", CTLFLAG_RW, NULL, "Hardware TLS offload"); + if (node == NULL) + return (0); + + mlx5e_create_counter_stats(&ptls->ctx, + SYSCTL_CHILDREN(node), "stats", + mlx5e_tls_stats_desc, MLX5E_TLS_STATS_NUM, + ptls->stats.arg); + + return (0); +} + +void +mlx5e_tls_cleanup(struct mlx5e_priv *priv) +{ + struct mlx5e_tls *ptls = &priv->tls; + uint32_t x; + + if (MLX5_CAP_GEN(priv->mdev, tls) == 0) + return; + + ptls->init = 0; + flush_workqueue(ptls->wq); + sysctl_ctx_free(&ptls->ctx); + uma_zdestroy(ptls->zone); + destroy_workqueue(ptls->wq); + + /* check if all resources are freed */ + MPASS(priv->tls.num_resources == 0); + + for (x = 0; x != MLX5E_TLS_STATS_NUM; x++) + counter_u64_free(ptls->stats.arg[x]); +} + +static void +mlx5e_tls_work(struct work_struct *work) +{ + struct mlx5e_tls_tag *ptag; + struct mlx5e_priv *priv; + int err; + + ptag = container_of(work, struct mlx5e_tls_tag, work); + priv = container_of(ptag->tls, struct mlx5e_priv, tls); + + switch (ptag->state) { + case MLX5E_TLS_ST_SETUP: + /* try to open TIS, if not present */ + if (ptag->tisn == 0) { + err = mlx5_tls_open_tis(priv->mdev, 0, priv->tdn, + priv->pdn, &ptag->tisn); + if (err) { + MLX5E_TLS_STAT_INC(ptag, tx_error, 1); + break; + } + } + MLX5_SET(sw_tls_cntx, ptag->crypto_params, progress.pd, ptag->tisn); + + /* try to allocate a DEK context ID */ + err = mlx5_encryption_key_create(priv->mdev, priv->pdn, + MLX5_ADDR_OF(sw_tls_cntx, ptag->crypto_params, key.key_data), + MLX5_GET(sw_tls_cntx, ptag->crypto_params, key.key_len), + &ptag->dek_index); + if (err) { + MLX5E_TLS_STAT_INC(ptag, tx_error, 1); + break; + } + + MLX5_SET(sw_tls_cntx, ptag->crypto_params, param.dek_index, ptag->dek_index); + + ptag->dek_index_ok = 1; + + MLX5E_TLS_TAG_LOCK(ptag); + if (ptag->state == MLX5E_TLS_ST_SETUP) + ptag->state = MLX5E_TLS_ST_TXRDY; + MLX5E_TLS_TAG_UNLOCK(ptag); + break; + + case MLX5E_TLS_ST_FREED: + /* wait for all refs to go away */ + while (ptag->refs != 0) + msleep(1); + + /* try to destroy DEK context by ID */ + if (ptag->dek_index_ok) + err = mlx5_encryption_key_destroy(priv->mdev, ptag->dek_index); + + /* free tag */ + mlx5e_tls_tag_zfree(ptag); + break; + + default: + break; + } +} + +static int +mlx5e_tls_set_params(void *ctx, const struct tls_session_params *en) +{ + + MLX5_SET(sw_tls_cntx, ctx, param.const_2, 2); + if (en->tls_vminor == TLS_MINOR_VER_TWO) + MLX5_SET(sw_tls_cntx, ctx, param.tls_version, 2); /* v1.2 */ + else + MLX5_SET(sw_tls_cntx, ctx, param.tls_version, 3); /* v1.3 */ + MLX5_SET(sw_tls_cntx, ctx, param.const_1, 1); + MLX5_SET(sw_tls_cntx, ctx, param.encryption_standard, 1); /* TLS */ + + /* copy the initial vector in place */ + if (en->iv_len == MLX5_FLD_SZ_BYTES(sw_tls_cntx, param.gcm_iv)) { + memcpy(MLX5_ADDR_OF(sw_tls_cntx, ctx, param.gcm_iv), + en->iv, MLX5_FLD_SZ_BYTES(sw_tls_cntx, param.gcm_iv)); + } else if (en->iv_len == (MLX5_FLD_SZ_BYTES(sw_tls_cntx, param.gcm_iv) + + MLX5_FLD_SZ_BYTES(sw_tls_cntx, param.implicit_iv))) { + memcpy(MLX5_ADDR_OF(sw_tls_cntx, ctx, param.gcm_iv), + (char *)en->iv + MLX5_FLD_SZ_BYTES(sw_tls_cntx, param.implicit_iv), + MLX5_FLD_SZ_BYTES(sw_tls_cntx, param.gcm_iv)); + memcpy(MLX5_ADDR_OF(sw_tls_cntx, ctx, param.implicit_iv), + en->iv, + MLX5_FLD_SZ_BYTES(sw_tls_cntx, param.implicit_iv)); + } else { + return (EINVAL); + } + + if (en->cipher_key_len <= MLX5_FLD_SZ_BYTES(sw_tls_cntx, key.key_data)) { + memcpy(MLX5_ADDR_OF(sw_tls_cntx, ctx, key.key_data), + en->cipher_key, en->cipher_key_len); + MLX5_SET(sw_tls_cntx, ctx, key.key_len, en->cipher_key_len); + } else { + return (EINVAL); + } + return (0); +} + +/* Verify zero default */ +CTASSERT(MLX5E_TLS_ST_INIT == 0); + +int +mlx5e_tls_snd_tag_alloc(struct ifnet *ifp, + union if_snd_tag_alloc_params *params, + struct m_snd_tag **ppmt) +{ + struct if_snd_tag_alloc_rate_limit rl_params; + struct mlx5e_priv *priv; + struct mlx5e_tls_tag *ptag; + const struct tls_session_params *en; + int error; + + priv = ifp->if_softc; + + if (priv->tls.init == 0) + return (EOPNOTSUPP); + + /* allocate new tag from zone, if any */ + ptag = uma_zalloc(priv->tls.zone, M_NOWAIT); + if (ptag == NULL) + return (ENOMEM); + + /* sanity check default values */ + MPASS(ptag->state == MLX5E_TLS_ST_INIT); + MPASS(ptag->dek_index == 0); + MPASS(ptag->dek_index_ok == 0); + + /* setup TLS tag */ + ptag->tls = &priv->tls; + ptag->tag.type = params->hdr.type; + + /* check if there is no TIS context */ + if (ptag->tisn == 0) { + uint32_t value; + + value = atomic_fetchadd_32(&priv->tls.num_resources, 1U); + + /* check resource limits */ + if (value >= priv->tls.max_resources) { + error = ENOMEM; + goto failure; + } + } + + en = ¶ms->tls.tls->params; + + /* only TLS v1.2 and v1.3 is currently supported */ + if (en->tls_vmajor != TLS_MAJOR_VER_ONE || + (en->tls_vminor != TLS_MINOR_VER_TWO +#ifdef TLS_MINOR_VER_THREE + && en->tls_vminor != TLS_MINOR_VER_THREE +#endif + )) { + error = EPROTONOSUPPORT; + goto failure; + } + + switch (en->cipher_algorithm) { + case CRYPTO_AES_NIST_GCM_16: + switch (en->cipher_key_len) { + case 128 / 8: + if (en->auth_algorithm != CRYPTO_AES_128_NIST_GMAC) { + error = EINVAL; + goto failure; + } + if (en->tls_vminor == TLS_MINOR_VER_TWO) { + if (MLX5_CAP_TLS(priv->mdev, tls_1_2_aes_gcm_128) == 0) { + error = EPROTONOSUPPORT; + goto failure; + } + } else { + if (MLX5_CAP_TLS(priv->mdev, tls_1_3_aes_gcm_128) == 0) { + error = EPROTONOSUPPORT; + goto failure; + } + } + error = mlx5e_tls_set_params(ptag->crypto_params, en); + if (error) + goto failure; + break; + + case 256 / 8: + if (en->auth_algorithm != CRYPTO_AES_256_NIST_GMAC) { + error = EINVAL; + goto failure; + } + if (en->tls_vminor == TLS_MINOR_VER_TWO) { + if (MLX5_CAP_TLS(priv->mdev, tls_1_2_aes_gcm_256) == 0) { + error = EPROTONOSUPPORT; + goto failure; + } + } else { + if (MLX5_CAP_TLS(priv->mdev, tls_1_3_aes_gcm_256) == 0) { + error = EPROTONOSUPPORT; + goto failure; + } + } + error = mlx5e_tls_set_params(ptag->crypto_params, en); + if (error) + goto failure; + break; + + default: + error = EINVAL; + goto failure; + } + break; + default: + error = EPROTONOSUPPORT; + goto failure; + } + + switch (ptag->tag.type) { +#if defined(RATELIMIT) && defined(IF_SND_TAG_TYPE_TLS_RATE_LIMIT) + case IF_SND_TAG_TYPE_TLS_RATE_LIMIT: + memset(&rl_params, 0, sizeof(rl_params)); + rl_params.hdr = params->tls_rate_limit.hdr; + rl_params.hdr.type = IF_SND_TAG_TYPE_RATE_LIMIT; + rl_params.max_rate = params->tls_rate_limit.max_rate; + + error = mlx5e_rl_snd_tag_alloc(ifp, + container_of(&rl_params, union if_snd_tag_alloc_params, rate_limit), + &ptag->rl_tag); + if (error) + goto failure; + break; +#endif + case IF_SND_TAG_TYPE_TLS: + memset(&rl_params, 0, sizeof(rl_params)); + rl_params.hdr = params->tls.hdr; + rl_params.hdr.type = IF_SND_TAG_TYPE_UNLIMITED; + + error = mlx5e_ul_snd_tag_alloc(ifp, + container_of(&rl_params, union if_snd_tag_alloc_params, unlimited), + &ptag->rl_tag); + if (error) + goto failure; + break; + default: + error = EOPNOTSUPP; + goto failure; + } + + /* store pointer to mbuf tag */ + MPASS(ptag->tag.m_snd_tag.refcount == 0); + m_snd_tag_init(&ptag->tag.m_snd_tag, ifp); + *ppmt = &ptag->tag.m_snd_tag; + return (0); + +failure: + mlx5e_tls_tag_zfree(ptag); + return (error); +} + +int +mlx5e_tls_snd_tag_modify(struct m_snd_tag *pmt, union if_snd_tag_modify_params *params) +{ +#if defined(RATELIMIT) && defined(IF_SND_TAG_TYPE_TLS_RATE_LIMIT) + struct if_snd_tag_rate_limit_params rl_params; + int error; +#endif + struct mlx5e_tls_tag *ptag = + container_of(pmt, struct mlx5e_tls_tag, tag.m_snd_tag); + + switch (ptag->tag.type) { +#if defined(RATELIMIT) && defined(IF_SND_TAG_TYPE_TLS_RATE_LIMIT) + case IF_SND_TAG_TYPE_TLS_RATE_LIMIT: + memset(&rl_params, 0, sizeof(rl_params)); + rl_params.max_rate = params->tls_rate_limit.max_rate; + error = mlx5e_rl_snd_tag_modify(ptag->rl_tag, + container_of(&rl_params, union if_snd_tag_modify_params, rate_limit)); + return (error); +#endif + default: + return (EOPNOTSUPP); + } +} + +int +mlx5e_tls_snd_tag_query(struct m_snd_tag *pmt, union if_snd_tag_query_params *params) +{ + struct mlx5e_tls_tag *ptag = + container_of(pmt, struct mlx5e_tls_tag, tag.m_snd_tag); + int error; + + switch (ptag->tag.type) { +#if defined(RATELIMIT) && defined(IF_SND_TAG_TYPE_TLS_RATE_LIMIT) + case IF_SND_TAG_TYPE_TLS_RATE_LIMIT: + error = mlx5e_rl_snd_tag_query(ptag->rl_tag, params); + break; +#endif + case IF_SND_TAG_TYPE_TLS: + error = mlx5e_ul_snd_tag_query(ptag->rl_tag, params); + break; + default: + error = EOPNOTSUPP; + break; + } + return (error); +} + +void +mlx5e_tls_snd_tag_free(struct m_snd_tag *pmt) +{ + struct mlx5e_tls_tag *ptag = + container_of(pmt, struct mlx5e_tls_tag, tag.m_snd_tag); + struct mlx5e_priv *priv; + + switch (ptag->tag.type) { +#if defined(RATELIMIT) && defined(IF_SND_TAG_TYPE_TLS_RATE_LIMIT) + case IF_SND_TAG_TYPE_TLS_RATE_LIMIT: + mlx5e_rl_snd_tag_free(ptag->rl_tag); + break; +#endif + case IF_SND_TAG_TYPE_TLS: + mlx5e_ul_snd_tag_free(ptag->rl_tag); + break; + default: + break; + } + + MLX5E_TLS_TAG_LOCK(ptag); + ptag->state = MLX5E_TLS_ST_FREED; + MLX5E_TLS_TAG_UNLOCK(ptag); + + priv = ptag->tag.m_snd_tag.ifp->if_softc; + queue_work(priv->tls.wq, &ptag->work); +} + +CTASSERT((MLX5_FLD_SZ_BYTES(sw_tls_cntx, param) % 16) == 0); + +static void +mlx5e_tls_send_static_parameters(struct mlx5e_sq *sq, struct mlx5e_tls_tag *ptag) +{ + const u32 ds_cnt = DIV_ROUND_UP(sizeof(struct mlx5e_tx_umr_wqe) + + MLX5_FLD_SZ_BYTES(sw_tls_cntx, param), MLX5_SEND_WQE_DS); + struct mlx5e_tx_umr_wqe *wqe; + u16 pi; + + pi = sq->pc & sq->wq.sz_m1; + wqe = mlx5_wq_cyc_get_wqe(&sq->wq, pi); + + memset(wqe, 0, sizeof(*wqe)); + + wqe->ctrl.opmod_idx_opcode = cpu_to_be32((sq->pc << 8) | + MLX5_OPCODE_UMR | (MLX5_OPCODE_MOD_UMR_TLS_TIS_STATIC_PARAMS << 24)); + wqe->ctrl.qpn_ds = cpu_to_be32((sq->sqn << 8) | ds_cnt); + wqe->ctrl.imm = cpu_to_be32(ptag->tisn << 8); + + if (mlx5e_do_send_cqe(sq)) + wqe->ctrl.fm_ce_se = MLX5_WQE_CTRL_CQ_UPDATE | MLX5_FENCE_MODE_INITIATOR_SMALL; + else + wqe->ctrl.fm_ce_se = MLX5_FENCE_MODE_INITIATOR_SMALL; + + /* fill out UMR control segment */ + wqe->umr.flags = 0x80; /* inline data */ + wqe->umr.bsf_octowords = cpu_to_be16(MLX5_FLD_SZ_BYTES(sw_tls_cntx, param) / 16); + + /* copy in the static crypto parameters */ + memcpy(wqe + 1, MLX5_ADDR_OF(sw_tls_cntx, ptag->crypto_params, param), + MLX5_FLD_SZ_BYTES(sw_tls_cntx, param)); + + /* copy data for doorbell */ + memcpy(sq->doorbell.d32, &wqe->ctrl, sizeof(sq->doorbell.d32)); + + sq->mbuf[pi].mbuf = NULL; + sq->mbuf[pi].num_bytes = 0; + sq->mbuf[pi].num_wqebbs = DIV_ROUND_UP(ds_cnt, MLX5_SEND_WQEBB_NUM_DS); + sq->mbuf[pi].p_refcount = &ptag->refs; + atomic_add_int(&ptag->refs, 1); + sq->pc += sq->mbuf[pi].num_wqebbs; +} + +CTASSERT(MLX5_FLD_SZ_BYTES(sw_tls_cntx, progress) == + sizeof(((struct mlx5e_tx_psv_wqe *)0)->psv)); + +static void +mlx5e_tls_send_progress_parameters(struct mlx5e_sq *sq, struct mlx5e_tls_tag *ptag) +{ + const u32 ds_cnt = DIV_ROUND_UP(sizeof(struct mlx5e_tx_psv_wqe), + MLX5_SEND_WQE_DS); + struct mlx5e_tx_psv_wqe *wqe; + u16 pi; + + pi = sq->pc & sq->wq.sz_m1; + wqe = mlx5_wq_cyc_get_wqe(&sq->wq, pi); + + memset(wqe, 0, sizeof(*wqe)); + + wqe->ctrl.opmod_idx_opcode = cpu_to_be32((sq->pc << 8) | + MLX5_OPCODE_SET_PSV | (MLX5_OPCODE_MOD_PSV_TLS_TIS_PROGRESS_PARAMS << 24)); + wqe->ctrl.qpn_ds = cpu_to_be32((sq->sqn << 8) | ds_cnt); + + if (mlx5e_do_send_cqe(sq)) + wqe->ctrl.fm_ce_se = MLX5_WQE_CTRL_CQ_UPDATE | MLX5_FENCE_MODE_INITIATOR_SMALL; + else + wqe->ctrl.fm_ce_se = MLX5_FENCE_MODE_INITIATOR_SMALL; + + /* copy in the PSV control segment */ + memcpy(&wqe->psv, MLX5_ADDR_OF(sw_tls_cntx, ptag->crypto_params, progress), + sizeof(wqe->psv)); + + /* copy data for doorbell */ + memcpy(sq->doorbell.d32, &wqe->ctrl, sizeof(sq->doorbell.d32)); + + sq->mbuf[pi].mbuf = NULL; + sq->mbuf[pi].num_bytes = 0; + sq->mbuf[pi].num_wqebbs = DIV_ROUND_UP(ds_cnt, MLX5_SEND_WQEBB_NUM_DS); + sq->mbuf[pi].p_refcount = &ptag->refs; + atomic_add_int(&ptag->refs, 1); + sq->pc += sq->mbuf[pi].num_wqebbs; +} + +static void +mlx5e_tls_send_nop(struct mlx5e_sq *sq, struct mlx5e_tls_tag *ptag) +{ + const u32 ds_cnt = MLX5_SEND_WQEBB_NUM_DS; + struct mlx5e_tx_wqe *wqe; + u16 pi; + + pi = sq->pc & sq->wq.sz_m1; + wqe = mlx5_wq_cyc_get_wqe(&sq->wq, pi); + + memset(&wqe->ctrl, 0, sizeof(wqe->ctrl)); + + wqe->ctrl.opmod_idx_opcode = cpu_to_be32((sq->pc << 8) | MLX5_OPCODE_NOP); + wqe->ctrl.qpn_ds = cpu_to_be32((sq->sqn << 8) | ds_cnt); + if (mlx5e_do_send_cqe(sq)) + wqe->ctrl.fm_ce_se = MLX5_WQE_CTRL_CQ_UPDATE | MLX5_FENCE_MODE_INITIATOR_SMALL; + else + wqe->ctrl.fm_ce_se = MLX5_FENCE_MODE_INITIATOR_SMALL; + + /* Copy data for doorbell */ + memcpy(sq->doorbell.d32, &wqe->ctrl, sizeof(sq->doorbell.d32)); + + sq->mbuf[pi].mbuf = NULL; + sq->mbuf[pi].num_bytes = 0; + sq->mbuf[pi].num_wqebbs = DIV_ROUND_UP(ds_cnt, MLX5_SEND_WQEBB_NUM_DS); + sq->mbuf[pi].p_refcount = &ptag->refs; + atomic_add_int(&ptag->refs, 1); + sq->pc += sq->mbuf[pi].num_wqebbs; +} + +#define SBTLS_MBUF_NO_DATA ((struct mbuf *)1) + +static struct mbuf * +sbtls_recover_record(struct mbuf *mb, int wait, uint32_t tcp_old, uint32_t *ptcp_seq) +{ + struct mbuf *mr; + uint32_t offset; + uint32_t delta; + + /* check format of incoming mbuf */ + if (mb->m_next == NULL || + (mb->m_next->m_flags & (M_NOMAP | M_EXT)) != (M_NOMAP | M_EXT) || + mb->m_next->m_ext.ext_buf == NULL) { + mr = NULL; + goto done; + } + + /* get unmapped data offset */ + offset = mtod(mb->m_next, uintptr_t); + + /* check if we don't need to re-transmit anything */ + if (offset == 0) { + mr = SBTLS_MBUF_NO_DATA; + goto done; + } + + /* try to get a new mbufs with packet header */ + mr = m_gethdr(wait, MT_DATA); + if (mr == NULL) + goto done; + + mb_dupcl(mr, mb->m_next); + + /* the beginning of the TLS record */ + mr->m_data = NULL; + + /* setup packet header length */ + mr->m_pkthdr.len = mr->m_len = offset; + + /* check for partial re-transmit */ + delta = *ptcp_seq - tcp_old; + + if (delta < offset) { + m_adj(mr, offset - delta); + offset = delta; + } + + /* + * Rewind the TCP sequence number by the amount of data + * retransmitted: + */ + *ptcp_seq -= offset; +done: + return (mr); +} + +static int +mlx5e_sq_tls_populate(struct mbuf *mb, uint64_t *pseq) +{ + struct mbuf_ext_pgs *ext_pgs; + + for (; mb != NULL; mb = mb->m_next) { + if (!(mb->m_flags & M_NOMAP)) + continue; + ext_pgs = (void *)mb->m_ext.ext_buf; + *pseq = ext_pgs->seqno; + return (1); + } + return (0); +} + +int +mlx5e_sq_tls_xmit(struct mlx5e_sq *sq, struct mlx5e_xmit_args *parg, struct mbuf **ppmb) +{ + struct mlx5e_tls_tag *ptls_tag; + struct mlx5e_snd_tag *ptag; + struct tcphdr *th; + struct mbuf *mb = *ppmb; + u64 rcd_sn; + u32 header_size; + u32 mb_seq; + + if ((mb->m_pkthdr.csum_flags & CSUM_SND_TAG) == 0) + return (MLX5E_TLS_CONTINUE); + + ptag = container_of(mb->m_pkthdr.snd_tag, + struct mlx5e_snd_tag, m_snd_tag); + + if ( +#if defined(RATELIMIT) && defined(IF_SND_TAG_TYPE_TLS_RATE_LIMIT) + ptag->type != IF_SND_TAG_TYPE_TLS_RATE_LIMIT && +#endif + ptag->type != IF_SND_TAG_TYPE_TLS) + return (MLX5E_TLS_CONTINUE); + + ptls_tag = container_of(ptag, struct mlx5e_tls_tag, tag); + + header_size = mlx5e_get_full_header_size(mb, &th); + if (unlikely(header_size == 0 || th == NULL)) + return (MLX5E_TLS_FAILURE); + + /* + * Send non-TLS TCP packets AS-IS: + */ + if (header_size == mb->m_pkthdr.len || + mlx5e_sq_tls_populate(mb, &rcd_sn) == 0) { + parg->tisn = 0; + parg->ihs = header_size; + return (MLX5E_TLS_CONTINUE); *** DIFF OUTPUT TRUNCATED AT 1000 LINES ***