diff options
| author | Jakub Kicinski <kuba@kernel.org> | 2023-02-01 08:35:34 +0300 |
|---|---|---|
| committer | Jakub Kicinski <kuba@kernel.org> | 2023-02-01 08:35:34 +0300 |
| commit | 71af6a2ddf146db4120ea220b93815e3993dcd94 (patch) | |
| tree | 9fef04c12dbd4dc8456a23bb75ed91c2aa6c5108 /include/linux | |
| parent | c925ed5f66bf70eb5327fd67382a12994d9b1fce (diff) | |
| parent | f741db1a5171ebb93289258e64e69c2a780e3103 (diff) | |
| download | linux-71af6a2ddf146db4120ea220b93815e3993dcd94.tar.xz | |
Merge tag 'mlx5-updates-2023-01-30' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux
Saeed Mahameed says:
====================
mlx5-updates-2023-01-30
Add fast update encryption key
Jianbo Liu Says:
================
Data encryption keys (DEKs) are the keys used for data encryption and
decryption operations. Starting from version 22.33.0783, firmware is
optimized to accelerate the update of user keys into DEK object in
hardware. The support for bulk allocation and destruction of DEK
objects is added, and the bulk allocated DEKs are uninitialized, as
the bulk creation requires no input key. When offload
encryption/decryption, user gets one object from a bulk, and updates
key by a new "modify DEK" command. This command is the same as create
DEK object, but requires no heavy context memory allocation in
firmware, which consumes most cpu cycles of the create DEK command.
DEKs are cached internally by the NIC, so invalidating internal NIC
caches is required before reusing DEKs. The SYNC_CRYPTO command is
added to support it. DEK object can be reused, the keys in it can be
updated after this command is executed.
This patchset enhances the key creation and destruction flow, to get
use of this new feature. Any user, for example, ktls, ipsec and
macsec, can use it to offload keys. But, only ktls uses it, as others
don't need many keys, and caching two many DEKs in pool is wasteful.
There are two new data struts added:
a. DEK pool. One pool is created for each key type. The bulks by
the type, are placed in the pool's different bulk lists, according to
the number of available and in_used DEKs in the bulk.
b. DEK bulk. All DEKs in one bulk allocation are store here. There
are two bitmaps to indicate the state of each DEK.
New APIs are then added. When user need a DEK object,
a. Fetch one bulk with avail DEKs, from the partial_list or
avail_list, otherwise create new one.
b. Pick one DEK, and set its need_sync and in_used bits to 1.
Move the bulk to full_list if no more available keys, or put it to
partial_list if the bulk is newly created.
c. Update DEK object's key with user key, by the "modify DEK"
command.
d. Return DEK struct to user, then it gets the object id and fills
it into the offload commands.
When user free a DEK,
a. Set in_use bit to 0. If all need_sync bits are 1 and all in_use
bits of this bulk are 0, move it to sync_list.
b. If the number of DEKs, which are freed by users, is over the
threshold (128), schedule a workqueue to do the sync process.
For the sync process, the SYNC_CRYPTO command is executed first. Then,
for each bulks in partial_list, full_list and sync_list, reset
need_sync bits of the freed DEK objects. If all need_sync bits in one
bulk are zero, move it to avail_list.
We already supported TIS pool to recycle the TISes. With this series
and TIS pool, TLS CPS performance is improved greatly.
And we tested https on the system:
CPU: dual AMD EPYC 7763 64-Core processors
RAM: 512G
DEV: ConnectX-6 DX, with FW ver 22.33.0838 and TLS_OPTIMISE=true
TLS CPS performance numbers are:
Before: 11k connections/sec
After: 101 connections/sec
================
* tag 'mlx5-updates-2023-01-30' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux:
net/mlx5e: kTLS, Improve connection rate by using fast update encryption key
net/mlx5: Keep only one bulk of full available DEKs
net/mlx5: Add async garbage collector for DEK bulk
net/mlx5: Reuse DEKs after executing SYNC_CRYPTO command
net/mlx5: Use bulk allocation for fast update encryption key
net/mlx5: Add bulk allocation and modify_dek operation
net/mlx5: Add support SYNC_CRYPTO command
net/mlx5: Add new APIs for fast update encryption key
net/mlx5: Refactor the encryption key creation
net/mlx5: Add const to the key pointer of encryption key creation
net/mlx5: Prepare for fast crypto key update if hardware supports it
net/mlx5: Change key type to key purpose
net/mlx5: Add IFC bits and enums for crypto key
net/mlx5: Add IFC bits for general obj create param
net/mlx5: Header file for crypto
====================
Link: https://lore.kernel.org/r/20230131031201.35336-1-saeed@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Diffstat (limited to 'include/linux')
| -rw-r--r-- | include/linux/mlx5/device.h | 4 | ||||
| -rw-r--r-- | include/linux/mlx5/driver.h | 2 | ||||
| -rw-r--r-- | include/linux/mlx5/mlx5_ifc.h | 163 |
3 files changed, 157 insertions, 12 deletions
diff --git a/include/linux/mlx5/device.h b/include/linux/mlx5/device.h index 29d4b201c7b2..bc531bd9804f 100644 --- a/include/linux/mlx5/device.h +++ b/include/linux/mlx5/device.h @@ -1204,6 +1204,7 @@ enum mlx5_cap_type { MLX5_CAP_VDPA_EMULATION = 0x13, MLX5_CAP_DEV_EVENT = 0x14, MLX5_CAP_IPSEC, + MLX5_CAP_CRYPTO = 0x1a, MLX5_CAP_DEV_SHAMPO = 0x1d, MLX5_CAP_MACSEC = 0x1f, MLX5_CAP_GENERAL_2 = 0x20, @@ -1460,6 +1461,9 @@ enum mlx5_qcam_feature_groups { #define MLX5_CAP_IPSEC(mdev, cap)\ MLX5_GET(ipsec_cap, (mdev)->caps.hca[MLX5_CAP_IPSEC]->cur, cap) +#define MLX5_CAP_CRYPTO(mdev, cap)\ + MLX5_GET(crypto_cap, (mdev)->caps.hca[MLX5_CAP_CRYPTO]->cur, cap) + #define MLX5_CAP_DEV_SHAMPO(mdev, cap)\ MLX5_GET(shampo_cap, mdev->caps.hca_cur[MLX5_CAP_DEV_SHAMPO], cap) diff --git a/include/linux/mlx5/driver.h b/include/linux/mlx5/driver.h index 44167760ff29..cd529e051b4d 100644 --- a/include/linux/mlx5/driver.h +++ b/include/linux/mlx5/driver.h @@ -516,6 +516,7 @@ struct mlx5_vhca_state_notifier; struct mlx5_sf_dev_table; struct mlx5_sf_hw_table; struct mlx5_sf_table; +struct mlx5_crypto_dek_priv; struct mlx5_rate_limit { u32 rate; @@ -673,6 +674,7 @@ struct mlx5e_resources { } hw_objs; struct devlink_port dl_port; struct net_device *uplink_netdev; + struct mlx5_crypto_dek_priv *dek_priv; }; enum mlx5_sw_icm_type { diff --git a/include/linux/mlx5/mlx5_ifc.h b/include/linux/mlx5/mlx5_ifc.h index 0b102c651fe2..1b6201bb04c1 100644 --- a/include/linux/mlx5/mlx5_ifc.h +++ b/include/linux/mlx5/mlx5_ifc.h @@ -306,6 +306,7 @@ enum { MLX5_CMD_OP_SYNC_STEERING = 0xb00, MLX5_CMD_OP_QUERY_VHCA_STATE = 0xb0d, MLX5_CMD_OP_MODIFY_VHCA_STATE = 0xb0e, + MLX5_CMD_OP_SYNC_CRYPTO = 0xb12, MLX5_CMD_OP_MAX }; @@ -1112,6 +1113,30 @@ struct mlx5_ifc_sync_steering_out_bits { u8 reserved_at_40[0x40]; }; +struct mlx5_ifc_sync_crypto_in_bits { + u8 opcode[0x10]; + u8 uid[0x10]; + + u8 reserved_at_20[0x10]; + u8 op_mod[0x10]; + + u8 reserved_at_40[0x20]; + + u8 reserved_at_60[0x10]; + u8 crypto_type[0x10]; + + u8 reserved_at_80[0x80]; +}; + +struct mlx5_ifc_sync_crypto_out_bits { + u8 status[0x8]; + u8 reserved_at_8[0x18]; + + u8 syndrome[0x20]; + + u8 reserved_at_40[0x40]; +}; + struct mlx5_ifc_device_mem_cap_bits { u8 memic[0x1]; u8 reserved_at_1[0x1f]; @@ -1768,7 +1793,8 @@ struct mlx5_ifc_cmd_hca_cap_bits { u8 ats[0x1]; u8 reserved_at_462[0x1]; u8 log_max_uctx[0x5]; - u8 reserved_at_468[0x2]; + u8 reserved_at_468[0x1]; + u8 crypto[0x1]; u8 ipsec_offload[0x1]; u8 log_max_umem[0x5]; u8 max_num_eqs[0x10]; @@ -3351,6 +3377,30 @@ struct mlx5_ifc_shampo_cap_bits { u8 reserved_at_40[0x7c0]; }; +struct mlx5_ifc_crypto_cap_bits { + u8 reserved_at_0[0x3]; + u8 synchronize_dek[0x1]; + u8 int_kek_manual[0x1]; + u8 int_kek_auto[0x1]; + u8 reserved_at_6[0x1a]; + + u8 reserved_at_20[0x3]; + u8 log_dek_max_alloc[0x5]; + u8 reserved_at_28[0x3]; + u8 log_max_num_deks[0x5]; + u8 reserved_at_30[0x10]; + + u8 reserved_at_40[0x20]; + + u8 reserved_at_60[0x3]; + u8 log_dek_granularity[0x5]; + u8 reserved_at_68[0x3]; + u8 log_max_num_int_kek[0x5]; + u8 sw_wrapped_dek[0x10]; + + u8 reserved_at_80[0x780]; +}; + union mlx5_ifc_hca_cap_union_bits { struct mlx5_ifc_cmd_hca_cap_bits cmd_hca_cap; struct mlx5_ifc_cmd_hca_cap_2_bits cmd_hca_cap_2; @@ -3371,6 +3421,7 @@ union mlx5_ifc_hca_cap_union_bits { struct mlx5_ifc_virtio_emulation_cap_bits virtio_emulation_cap; struct mlx5_ifc_shampo_cap_bits shampo_cap; struct mlx5_ifc_macsec_cap_bits macsec_cap; + struct mlx5_ifc_crypto_cap_bits crypto_cap; u8 reserved_at_0[0x8000]; }; @@ -6196,6 +6247,18 @@ struct mlx5_ifc_match_definer_bits { }; }; +struct mlx5_ifc_general_obj_create_param_bits { + u8 alias_object[0x1]; + u8 reserved_at_1[0x2]; + u8 log_obj_range[0x5]; + u8 reserved_at_8[0x18]; +}; + +struct mlx5_ifc_general_obj_query_param_bits { + u8 alias_object[0x1]; + u8 obj_offset[0x1f]; +}; + struct mlx5_ifc_general_obj_in_cmd_hdr_bits { u8 opcode[0x10]; u8 uid[0x10]; @@ -6205,9 +6268,10 @@ struct mlx5_ifc_general_obj_in_cmd_hdr_bits { u8 obj_id[0x20]; - u8 reserved_at_60[0x3]; - u8 log_obj_range[0x5]; - u8 reserved_at_68[0x18]; + union { + struct mlx5_ifc_general_obj_create_param_bits create; + struct mlx5_ifc_general_obj_query_param_bits query; + } op_param; }; struct mlx5_ifc_general_obj_out_cmd_hdr_bits { @@ -11702,6 +11766,7 @@ enum { MLX5_GENERAL_OBJECT_TYPES_SAMPLER = 0x20, MLX5_GENERAL_OBJECT_TYPES_FLOW_METER_ASO = 0x24, MLX5_GENERAL_OBJECT_TYPES_MACSEC = 0x27, + MLX5_GENERAL_OBJECT_TYPES_INT_KEK = 0x47, }; enum { @@ -11881,21 +11946,62 @@ struct mlx5_ifc_query_macsec_obj_out_bits { struct mlx5_ifc_macsec_offload_obj_bits macsec_object; }; +struct mlx5_ifc_wrapped_dek_bits { + u8 gcm_iv[0x60]; + + u8 reserved_at_60[0x20]; + + u8 const0[0x1]; + u8 key_size[0x1]; + u8 reserved_at_82[0x2]; + u8 key2_invalid[0x1]; + u8 reserved_at_85[0x3]; + u8 pd[0x18]; + + u8 key_purpose[0x5]; + u8 reserved_at_a5[0x13]; + u8 kek_id[0x8]; + + u8 reserved_at_c0[0x40]; + + u8 key1[0x8][0x20]; + + u8 key2[0x8][0x20]; + + u8 reserved_at_300[0x40]; + + u8 const1[0x1]; + u8 reserved_at_341[0x1f]; + + u8 reserved_at_360[0x20]; + + u8 auth_tag[0x80]; +}; + struct mlx5_ifc_encryption_key_obj_bits { u8 modify_field_select[0x40]; - u8 reserved_at_40[0x14]; + u8 state[0x8]; + u8 sw_wrapped[0x1]; + u8 reserved_at_49[0xb]; u8 key_size[0x4]; u8 reserved_at_58[0x4]; - u8 key_type[0x4]; + u8 key_purpose[0x4]; u8 reserved_at_60[0x8]; u8 pd[0x18]; - u8 reserved_at_80[0x180]; - u8 key[8][0x20]; + u8 reserved_at_80[0x100]; + + u8 opaque[0x40]; + + u8 reserved_at_1c0[0x40]; + + u8 key[8][0x80]; + + u8 sw_wrapped_dek[8][0x80]; - u8 reserved_at_300[0x500]; + u8 reserved_at_a00[0x600]; }; struct mlx5_ifc_create_encryption_key_in_bits { @@ -11903,6 +12009,11 @@ struct mlx5_ifc_create_encryption_key_in_bits { struct mlx5_ifc_encryption_key_obj_bits encryption_key_object; }; +struct mlx5_ifc_modify_encryption_key_in_bits { + struct mlx5_ifc_general_obj_in_cmd_hdr_bits general_obj_in_cmd_hdr; + struct mlx5_ifc_encryption_key_obj_bits encryption_key_object; +}; + enum { MLX5_FLOW_METER_MODE_BYTES_IP_LENGTH = 0x0, MLX5_FLOW_METER_MODE_BYTES_CALC_WITH_L2 = 0x1, @@ -11958,6 +12069,34 @@ struct mlx5_ifc_create_flow_meter_aso_obj_in_bits { struct mlx5_ifc_flow_meter_aso_obj_bits flow_meter_aso_obj; }; +struct mlx5_ifc_int_kek_obj_bits { + u8 modify_field_select[0x40]; + + u8 state[0x8]; + u8 auto_gen[0x1]; + u8 reserved_at_49[0xb]; + u8 key_size[0x4]; + u8 reserved_at_58[0x8]; + + u8 reserved_at_60[0x8]; + u8 pd[0x18]; + + u8 reserved_at_80[0x180]; + u8 key[8][0x80]; + + u8 reserved_at_600[0x200]; +}; + +struct mlx5_ifc_create_int_kek_obj_in_bits { + struct mlx5_ifc_general_obj_in_cmd_hdr_bits general_obj_in_cmd_hdr; + struct mlx5_ifc_int_kek_obj_bits int_kek_object; +}; + +struct mlx5_ifc_create_int_kek_obj_out_bits { + struct mlx5_ifc_general_obj_out_cmd_hdr_bits general_obj_out_cmd_hdr; + struct mlx5_ifc_int_kek_obj_bits int_kek_object; +}; + struct mlx5_ifc_sampler_obj_bits { u8 modify_field_select[0x40]; @@ -11996,9 +12135,9 @@ enum { }; enum { - MLX5_GENERAL_OBJECT_TYPE_ENCRYPTION_KEY_TYPE_TLS = 0x1, - MLX5_GENERAL_OBJECT_TYPE_ENCRYPTION_KEY_TYPE_IPSEC = 0x2, - MLX5_GENERAL_OBJECT_TYPE_ENCRYPTION_KEY_TYPE_MACSEC = 0x4, + MLX5_GENERAL_OBJECT_TYPE_ENCRYPTION_KEY_PURPOSE_TLS = 0x1, + MLX5_GENERAL_OBJECT_TYPE_ENCRYPTION_KEY_PURPOSE_IPSEC = 0x2, + MLX5_GENERAL_OBJECT_TYPE_ENCRYPTION_KEY_PURPOSE_MACSEC = 0x4, }; struct mlx5_ifc_tls_static_params_bits { |