Patches extracted from
https://lore.kernel.org/all/[email protected]/
Update_pn flag will let the offloaded MACsec implementations to know when
the PN is updated.
Radu P.
Radu Pirea (NXP OSS) (4):
net: macsec: indicate next pn update when offloading
octeontx2-pf: mcs: update PN only when update_pn is true
net: phy: mscc: macsec: reject PN update requests
net/mlx5e: macsec: use update_pn flag instead of PN comparation
.../ethernet/marvell/octeontx2/nic/cn10k_macsec.c | 13 +++++++++----
.../ethernet/mellanox/mlx5/core/en_accel/macsec.c | 4 ++--
drivers/net/macsec.c | 2 ++
drivers/net/phy/mscc/mscc_macsec.c | 6 ++++++
include/net/macsec.h | 1 +
5 files changed, 20 insertions(+), 6 deletions(-)
--
2.34.1
When updating the SA, use the new update_pn flags instead of comparing the
new PN with the initial one.
Comparing the initial PN value with the new value will allow the user
to update the SA using the initial PN value as a parameter like this:
$ ip macsec add macsec0 tx sa 0 pn 1 on key 00 \
ead3664f508eb06c40ac7104cdae4ce5
$ ip macsec set macsec0 tx sa 0 pn 1 off
Fixes: 8ff0ac5be144 ("net/mlx5: Add MACsec offload Tx command support")
Fixes: aae3454e4d4c ("net/mlx5e: Add MACsec offload Rx command support")
Signed-off-by: Radu Pirea (NXP OSS) <[email protected]>
---
Changes in v7:
- none
Changes in v6:
- patch added in v6
drivers/net/ethernet/mellanox/mlx5/core/en_accel/macsec.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/macsec.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/macsec.c
index c9c1db971652..d4ebd8743114 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/macsec.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/macsec.c
@@ -580,7 +580,7 @@ static int mlx5e_macsec_upd_txsa(struct macsec_context *ctx)
goto out;
}
- if (tx_sa->next_pn != ctx_tx_sa->next_pn_halves.lower) {
+ if (ctx->sa.update_pn) {
netdev_err(netdev, "MACsec offload: update TX sa %d PN isn't supported\n",
assoc_num);
err = -EINVAL;
@@ -973,7 +973,7 @@ static int mlx5e_macsec_upd_rxsa(struct macsec_context *ctx)
goto out;
}
- if (rx_sa->next_pn != ctx_rx_sa->next_pn_halves.lower) {
+ if (ctx->sa.update_pn) {
netdev_err(ctx->netdev,
"MACsec offload update RX sa %d PN isn't supported\n",
assoc_num);
--
2.34.1
Updating the PN is not supported.
Return -EINVAL if update_pn is true.
The following command succeeded, but it should fail because the driver
does not update the PN:
ip macsec set macsec0 tx sa 0 pn 232 on
Fixes: 28c5107aa904 ("net: phy: mscc: macsec support")
Signed-off-by: Radu Pirea (NXP OSS) <[email protected]>
---
Changes in v7:
- none
Changes in v6:
- patch added in v6
drivers/net/phy/mscc/mscc_macsec.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/net/phy/mscc/mscc_macsec.c b/drivers/net/phy/mscc/mscc_macsec.c
index 018253a573b8..4f39ba63a9a9 100644
--- a/drivers/net/phy/mscc/mscc_macsec.c
+++ b/drivers/net/phy/mscc/mscc_macsec.c
@@ -849,6 +849,9 @@ static int vsc8584_macsec_upd_rxsa(struct macsec_context *ctx)
struct macsec_flow *flow;
int ret;
+ if (ctx->sa.update_pn)
+ return -EINVAL;
+
flow = vsc8584_macsec_find_flow(ctx, MACSEC_INGR);
if (IS_ERR(flow))
return PTR_ERR(flow);
@@ -900,6 +903,9 @@ static int vsc8584_macsec_upd_txsa(struct macsec_context *ctx)
struct macsec_flow *flow;
int ret;
+ if (ctx->sa.update_pn)
+ return -EINVAL;
+
flow = vsc8584_macsec_find_flow(ctx, MACSEC_EGR);
if (IS_ERR(flow))
return PTR_ERR(flow);
--
2.34.1
2023-10-05, 21:06:32 +0300, Radu Pirea (NXP OSS) wrote:
> Patches extracted from
> https://lore.kernel.org/all/[email protected]/
> Update_pn flag will let the offloaded MACsec implementations to know when
> the PN is updated.
>
> Radu P.
>
> Radu Pirea (NXP OSS) (4):
> net: macsec: indicate next pn update when offloading
> octeontx2-pf: mcs: update PN only when update_pn is true
> net: phy: mscc: macsec: reject PN update requests
> net/mlx5e: macsec: use update_pn flag instead of PN comparation
Thanks Radu! For the series:
Reviewed-by: Sabrina Dubroca <[email protected]>
While reviewing this, I noticed that octeon can leave the HW in an
inconsistent state during upd_txsa and upd_rxsa: these ops do 2
separate changes that can both fail, and if the 2nd change fails, we
don't roll back the first change. This is an older issue (not
introduced by this patch) and can be looked at later (I don't know
what happens to the HW and why setting the PN would fail, maybe it's
not recoverable at that point).
--
Sabrina
Hello:
This series was applied to netdev/net.git (main)
by Paolo Abeni <[email protected]>:
On Thu, 5 Oct 2023 21:06:32 +0300 you wrote:
> Patches extracted from
> https://lore.kernel.org/all/[email protected]/
> Update_pn flag will let the offloaded MACsec implementations to know when
> the PN is updated.
>
> Radu P.
>
> [...]
Here is the summary with links:
- [net,v7,1/4] net: macsec: indicate next pn update when offloading
https://git.kernel.org/netdev/net/c/0412cc846a1e
- [net,v7,2/4] octeontx2-pf: mcs: update PN only when update_pn is true
https://git.kernel.org/netdev/net/c/4dcf38ae3ca1
- [net,v7,3/4] net: phy: mscc: macsec: reject PN update requests
https://git.kernel.org/netdev/net/c/e0a8c918daa5
- [net,v7,4/4] net/mlx5e: macsec: use update_pn flag instead of PN comparation
https://git.kernel.org/netdev/net/c/fde2f2d7f23d
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html