From patchwork Tue Dec 19 23:59:52 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Shannon Nelson X-Patchwork-Id: 851132 Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=oracle.com header.i=@oracle.com header.b="SMnv+8vx"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3z1Zfh3YbXz9s7v for ; Wed, 20 Dec 2017 11:00:44 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753912AbdLTAAm (ORCPT ); Tue, 19 Dec 2017 19:00:42 -0500 Received: from aserp2130.oracle.com ([141.146.126.79]:59649 "EHLO aserp2130.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753781AbdLTAAW (ORCPT ); Tue, 19 Dec 2017 19:00:22 -0500 Received: from pps.filterd (aserp2130.oracle.com [127.0.0.1]) by aserp2130.oracle.com (8.16.0.21/8.16.0.21) with SMTP id vBJNxZMV140971; Wed, 20 Dec 2017 00:00:16 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id; s=corp-2017-10-26; bh=laCabSdZBJ3z6hJ3GsJYMNxfgPzvtAODrXHcTIgQm0U=; b=SMnv+8vxdbRa3WbHySMo7YwG67lUaBfm7rPJ3zk3eq3fW3fE5Nsd23X+96utkWnqH0Bt +CB2/FOenTLMav34cgNiZPcrYdU6W7l4wq10Y2AqKBcR06KPa5YT5Y+cFlHxuAyl2bWY IusxuPKBxEZSh6/zsub3N0NSM7K1e6StIcwElhRPQ7di4Oyx1jCn5Kzizhe7yOTKTOPy qGAKBfFl7uZH1w2EiFFmfLPmMIK+0MTFCnOdHQyJSQWWZ3EobCCqt49FpKroK9LiHdLu jLXz7OFSpo/lse14whaIUdcmquDy5v1IS4VEaR/jPXseVnYxp/Pj4NRV19Dv1pH+jD4a tg== Received: from userv0021.oracle.com (userv0021.oracle.com [156.151.31.71]) by aserp2130.oracle.com with ESMTP id 2eycx900q1-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 20 Dec 2017 00:00:16 +0000 Received: from userv0121.oracle.com (userv0121.oracle.com [156.151.31.72]) by userv0021.oracle.com (8.14.4/8.14.4) with ESMTP id vBK00Bqw029535 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Wed, 20 Dec 2017 00:00:11 GMT Received: from abhmp0018.oracle.com (abhmp0018.oracle.com [141.146.116.24]) by userv0121.oracle.com (8.14.4/8.13.8) with ESMTP id vBK00AlM007881; Wed, 20 Dec 2017 00:00:10 GMT Received: from slnelson-mint18.us.oracle.com (/10.159.142.109) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Tue, 19 Dec 2017 16:00:10 -0800 From: Shannon Nelson To: intel-wired-lan@lists.osuosl.org, jeffrey.t.kirsher@intel.com Cc: steffen.klassert@secunet.com, sowmini.varadhan@oracle.com, netdev@vger.kernel.org Subject: [PATCH v3 next-queue 00/10] ixgbe: Add ipsec offload Date: Tue, 19 Dec 2017 15:59:52 -0800 Message-Id: <1513728002-7643-1-git-send-email-shannon.nelson@oracle.com> X-Mailer: git-send-email 2.7.4 X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=8750 signatures=668650 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1711220000 definitions=main-1712190335 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org This is an implementation of the ipsec hardware offload feature for the ixgbe driver and Intel's 10Gbe series NICs: x540, x550, 82599. These patches apply to net-next v4.14 as well as Jeff Kirsher's next-queue v4.15-rc1-206-ge47375b. The ixgbe NICs support ipsec offload for 1024 Rx and 1024 Tx Security Associations (SAs), using up to 128 inbound IP addresses, and using the rfc4106(gcm(aes)) encryption. This code does not yet support IPv6, checksum offload, or TSO in conjunction with the ipsec offload - those will be added in the future. This code shows improvements in both packet throughput and CPU utilization. For example, here are some quicky numbers that show the magnitude of the performance gain on a single run of "iperf -c " with the ipsec offload on both ends of a point-to-point connection: 9.4 Gbps - normal case 7.6 Gbps - ipsec with offload 343 Mbps - ipsec no offload To set up a similar test case, you first need to be sure you have a recent version of iproute2 that supports the ipsec offload tag, probably something from ip 4.12 or newer would be best. I have a shell script that builds up the appropriate commands for me, but here are the resulting commands for all tcp traffic between 14.0.0.52 and 14.0.0.70: For the left side (14.0.0.52): ip x p add dir out src 14.0.0.52/24 dst 14.0.0.70/24 proto tcp tmpl \ proto esp src 14.0.0.52 dst 14.0.0.70 spi 0x07 mode transport reqid 0x07 ip x p add dir in src 14.0.0.70/24 dst 14.0.0.52/24 proto tcp tmpl \ proto esp dst 14.0.0.52 src 14.0.0.70 spi 0x07 mode transport reqid 0x07 ip x s add proto esp src 14.0.0.52 dst 14.0.0.70 spi 0x07 mode transport \ reqid 0x07 replay-window 32 \ aead 'rfc4106(gcm(aes))' 0x44434241343332312423222114131211f4f3f2f1 128 \ sel src 14.0.0.52/24 dst 14.0.0.70/24 proto tcp offload dev eth4 dir out ip x s add proto esp dst 14.0.0.52 src 14.0.0.70 spi 0x07 mode transport \ reqid 0x07 replay-window 32 \ aead 'rfc4106(gcm(aes))' 0x44434241343332312423222114131211f4f3f2f1 128 \ sel src 14.0.0.70/24 dst 14.0.0.52/24 proto tcp offload dev eth4 dir in For the right side (14.0.0.70): ip x p add dir out src 14.0.0.70/24 dst 14.0.0.52/24 proto tcp tmpl \ proto esp src 14.0.0.70 dst 14.0.0.52 spi 0x07 mode transport reqid 0x07 ip x p add dir in src 14.0.0.52/24 dst 14.0.0.70/24 proto tcp tmpl \ proto esp dst 14.0.0.70 src 14.0.0.52 spi 0x07 mode transport reqid 0x07 ip x s add proto esp src 14.0.0.70 dst 14.0.0.52 spi 0x07 mode transport \ reqid 0x07 replay-window 32 \ aead 'rfc4106(gcm(aes))' 0x44434241343332312423222114131211f4f3f2f1 128 \ sel src 14.0.0.70/24 dst 14.0.0.52/24 proto tcp offload dev eth4 dir out ip x s add proto esp dst 14.0.0.70 src 14.0.0.52 spi 0x07 mode transport \ reqid 0x07 replay-window 32 \ aead 'rfc4106(gcm(aes))' 0x44434241343332312423222114131211f4f3f2f1 128 \ sel src 14.0.0.52/24 dst 14.0.0.70/24 proto tcp offload dev eth4 dir in In both cases, the command "ip x s flush ; ip x p flush" will clean it all out and remove the offloads. Lastly, thanks to Alex Duyck for his early comments. Please see the individual patches for specific update info. v3: fixes after comments from those wonderfully pesky kbuild robots v2: fixes after comments from Alex Shannon Nelson (10): ixgbe: clean up ipsec defines ixgbe: add ipsec register access routines ixgbe: add ipsec engine start and stop routines ixgbe: add ipsec data structures ixgbe: add ipsec offload add and remove SA ixgbe: restore offloaded SAs after a reset ixgbe: process the Rx ipsec offload ixgbe: process the Tx ipsec offload ixgbe: ipsec offload stats ixgbe: register ipsec offload with the xfrm subsystem drivers/net/ethernet/intel/ixgbe/Makefile | 1 + drivers/net/ethernet/intel/ixgbe/ixgbe.h | 33 +- drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c | 2 + drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c | 923 +++++++++++++++++++++++ drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.h | 92 +++ drivers/net/ethernet/intel/ixgbe/ixgbe_lib.c | 4 +- drivers/net/ethernet/intel/ixgbe/ixgbe_main.c | 39 +- drivers/net/ethernet/intel/ixgbe/ixgbe_type.h | 22 +- 8 files changed, 1093 insertions(+), 23 deletions(-) create mode 100644 drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c create mode 100644 drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.h