Received: by 2002:a25:8b12:0:0:0:0:0 with SMTP id i18csp3836828ybl;
        Tue, 20 Aug 2019 03:04:29 -0700 (PDT)
X-Google-Smtp-Source: APXvYqw1vhHi7tJnZBje8YW7PJ2b48ZRh5LeXg+V3Udy68Dlk2Iqyh+UjMPmR7YK8XKdbR7tt/Xu
X-Received: by 2002:a62:1ad4:: with SMTP id a203mr28581558pfa.210.1566295469511;
        Tue, 20 Aug 2019 03:04:29 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1566295469; cv=none;
        d=google.com; s=arc-20160816;
        b=oZyrFuj+wTRpCtGzjLf2YDH1poIpV3yDuq82R2Gzj7WvwJIHF15+wD9FauhrLzNZq+
         Zg7AXAQuzqaI99Jc9vGJyyiU84Hmxu6k58N46pbVO3rPQtd5qz03JkOHDm0NbmlF8Lir
         Wg0cEXEdJylj8cfvbM1eN+weuoxdyB0HXnP9ONz7a5aceFmLoY94hkfKT9S73uoOcNn6
         jXxKURXldP+qiQaxmfuqfahjvVMoMW8w0FV/kK9YVrDEQtRj6ZnZSI1hCp2Ci3o4xbH3
         goLRfzDBgZ9F+Nc7Jwq7/0m7A8qR12QmH9zzsW6x1k1C2b9DYrSP7twKfF1PvCcbu+4/
         YOPQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-transfer-encoding:content-disposition:mime-version
         :references:message-id:subject:cc:to:from:date;
        bh=yMAMWXW7NOe9go5SYjKLWvTcvRm9k5e+jprtA1mNH9Q=;
        b=VTwDld2bLUlAu2TWJ6SkxjqqLtI8eUuZhme7iSirrhtpEq+euhcb5j5roHOnRZFgBd
         M1oC129qnuqVbIY+cDWb/WjJQrBVeHHgcob1lDLWDLnYC/6NT2dF7budAXI9egFkSkvE
         7LTr2PpX0IuefI/F+5MnLGdMVwTf/qYYmCZ6bY94dU3jaGW3ME1U9p2UktdteT4VyoB5
         jm8Ogool9MpxF7OIHoQ2mTr6p4+S8TAjoskEJQx3OCr7NQSWHRgtmiy45oBaGb4ibpFD
         euKWVrite02miiXAb+WS06BtSA3As/LOsv0JCBL3tncXfLIOov99qf23SsJLbujbnFTc
         e1JQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id 33si12069520plq.299.2019.08.20.03.04.12;
        Tue, 20 Aug 2019 03:04:29 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1729690AbfHTKBo (ORCPT <rfc822;kkoh.linux@gmail.com>
        + 99 others); Tue, 20 Aug 2019 06:01:44 -0400
Received: from relay9-d.mail.gandi.net ([217.70.183.199]:59105 "EHLO
        relay9-d.mail.gandi.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1729580AbfHTKBo (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 20 Aug 2019 06:01:44 -0400
X-Originating-IP: 86.250.200.211
Received: from localhost (lfbn-1-17395-211.w86-250.abo.wanadoo.fr [86.250.200.211])
        (Authenticated sender: antoine.tenart@bootlin.com)
        by relay9-d.mail.gandi.net (Postfix) with ESMTPSA id B714DFF808;
        Tue, 20 Aug 2019 10:01:40 +0000 (UTC)
Date:   Tue, 20 Aug 2019 12:01:40 +0200
From:   Antoine Tenart <antoine.tenart@bootlin.com>
To:     Sabrina Dubroca <sd@queasysnail.net>
Cc:     Igor Russkikh <Igor.Russkikh@aquantia.com>,
        Andrew Lunn <andrew@lunn.ch>,
        Antoine Tenart <antoine.tenart@bootlin.com>,
        "davem@davemloft.net" <davem@davemloft.net>,
        "f.fainelli@gmail.com" <f.fainelli@gmail.com>,
        "hkallweit1@gmail.com" <hkallweit1@gmail.com>,
        "netdev@vger.kernel.org" <netdev@vger.kernel.org>,
        "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
        "thomas.petazzoni@bootlin.com" <thomas.petazzoni@bootlin.com>,
        "alexandre.belloni@bootlin.com" <alexandre.belloni@bootlin.com>,
        "allan.nielsen@microchip.com" <allan.nielsen@microchip.com>,
        "camelia.groza@nxp.com" <camelia.groza@nxp.com>,
        Simon Edelhaus <Simon.Edelhaus@aquantia.com>,
        Pavel Belous <Pavel.Belous@aquantia.com>
Subject: Re: [PATCH net-next v2 6/9] net: macsec: hardware offloading
 infrastructure
Message-ID: <20190820100140.GA3292@kwain>
References: <20190808140600.21477-1-antoine.tenart@bootlin.com>
 <20190808140600.21477-7-antoine.tenart@bootlin.com>
 <e96fa4ae-1f2c-c1be-b2d8-060217d8e151@aquantia.com>
 <20190813085817.GA3200@kwain>
 <20190813131706.GE15047@lunn.ch>
 <2e3c2307-d414-a531-26cb-064e05fa01fc@aquantia.com>
 <20190816132959.GC8697@bistromath.localdomain>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <20190816132959.GC8697@bistromath.localdomain>
User-Agent: Mutt/1.12.1 (2019-06-15)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Hi Sabrina,

On Fri, Aug 16, 2019 at 03:29:59PM +0200, Sabrina Dubroca wrote:
> 2019-08-13, 16:18:40 +0000, Igor Russkikh wrote:
> > On 13.08.2019 16:17, Andrew Lunn wrote:
> 
> > That could be a strong limitation in
> > cases when user sees HW macsec offload is broken or work differently, and he/she
> > wants to replace it with SW one.
> 
> Agreed, I think an offload that cannot be disabled is quite problematic.
> 
> > MACSec is a complex feature, and it may happen something is missing in HW.
> > Trivial example is 256bit encryption, which is not always a musthave in HW
> > implementations.
> 
> +1
> 
> > 2) I think, Antoine, its not totally true that otherwise the user macsec API
> > will be broken/changed. netlink api is the same, the only thing we may want to
> > add is an optional parameter to force selection of SW macsec engine.
> 
> Yes, I think we need an offload on/off parameter (and IMO it should
> probably be off by default). Then, if offloading is requested but
> cannot be satisfied (unsupported key length, too many SAs, etc), or if
> incompatible settings are requested (mixing offloaded and
> non-offloaded SCs on a device that cannot do it), return an error.
> 
> If we also export that offload parameter during netlink dumps, we can
> inspect the state of the system, which helps for debugging.

So it seems the ability to enable or disable the offloading on a given
interface is the main missing feature. I'll add that, however I'll
probably (at least at first):

- Have the interface to be fully offloaded or fully handled in s/w (with
  errors being thrown if a given configuration isn't supported). Having
  both at the same time on a given interface would be tricky because of
  the MACsec validation parameter.

- Won't allow to enable/disable the offloading of there are rules in
  place, as we're not sure the same rules would be accepted by the other
  implementation.

I'm not sure if we should allow to mix the implementations on a given
physical interface (by having two MACsec interfaces attached) as the
validation would be impossible to do (we would have no idea if a
packet was correctly handled by the offloading part or just not being
a MACsec packet in the first place, in Rx).

I agree the offloading should be disabled by default, and only enabled
by an user explicitly.

Thanks,
Antoine

-- 
Antoine T?nart, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com