From patchwork Tue Jul 9 06:23:23 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mike Yu X-Patchwork-Id: 13727302 X-Patchwork-Delegate: kuba@kernel.org Received: from mail-yw1-f202.google.com (mail-yw1-f202.google.com [209.85.128.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id CC53212C475 for ; Tue, 9 Jul 2024 06:23:35 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.202 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1720506217; cv=none; b=sBDVPu1n1l2CGbk7rjtsq4I8OiKhh0EzTxpOMkvnZptxbMvAHMszJ1DP22/O2kInoapKrtWOfQJZBWVxi4mahFehMgakr0W+dFW7PUZNgcd5XceNasJsB6462v7UaujaOdc1UQgoaHjwCHFbndH2+WpTk3TKH6nrIvus4fMvSiM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1720506217; c=relaxed/simple; bh=6wcAfIzA083j9udKzDviD3/sDaqZOKbaCwhCVSZxdts=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=mPaQrIzF2WJRoZRsmLT7iDJF9y4xOelwiOJ3n9kgil4l3jhtUdfkOhDe4c3lzdSgy60uMZ/WwAJijzNXiEP2VsMTqErVPIpvvKHbe34gOSJnBRFioXU27B3gVIqgpdR4NHAqd2sqb84pDtHaMuQfdDwHOafPPMwp74dybG/7VjM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--yumike.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=FU3pqZCv; arc=none smtp.client-ip=209.85.128.202 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--yumike.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="FU3pqZCv" Received: by mail-yw1-f202.google.com with SMTP id 00721157ae682-6522c6e5ed9so91475547b3.0 for ; Mon, 08 Jul 2024 23:23:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1720506215; x=1721111015; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=c+oYe1ueaUtt6r/NxRQwLFx8cwsPSNkw5jKdeiGr0tE=; b=FU3pqZCvl1QVFcUoNqKm92BseDzpZHLKDC+G2h08dgLMMd7QCZxAHe0TJHO/qST/39 dJP3fcufA2Sy+H35fKfUBoj4aWAcdRqEXC8aoc0df93ZdufTS2r91Dzm4MK4NkKYSqVK w5hncET+GbqxxE8r8Hp+lO6eId/dUiLZIWet/tm2PANFnRdNfKGGj01ZQEXOkCVJz5Kl 3qGLk+gHXn/B86BR8eT2p70tU2WAmfcajjCTWFCWBNNBU+2HuqlQNJja68IFX9IJVJ9I 0DSHvs/WvLDelTpgxSp+btjdA3TUzXaOrr4lUp/z2zRrV84K3Tq2M982F4JvvQMSsm2m Q81A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1720506215; x=1721111015; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=c+oYe1ueaUtt6r/NxRQwLFx8cwsPSNkw5jKdeiGr0tE=; b=p4GQ/uTNPpozQ1ovhqX9VsrAYCPWPW5Y5/KT4VCa+zEWNGrRTIgy7BtYOtdEPmzeTk xtLQjoQUKuG3x2P739Hg4VYTgNhRmTO3zbwheZOK6m6zcvhz4IGx7m2ckvOiczflwR8I ylQSX4EGImZijGaIS5DmkXgOPN2XKdlfayEmPSW/dPTu324tAGJ5RnNBQEs9o1Ho8Q4r UAtuL3C+LPdb64Kh9MRwxexNiv6r7E861ZUXR0+A/hx2hYqJpZjBiJizz60BOEdtFPHX 55ImPhG9usM9gxEAUXS5V8OJaGR/zWRqnhwnvaK2efcdDb9ljVaViAdHTrMyAqAiH8LQ aqnQ== X-Gm-Message-State: AOJu0Yz5ZGURyj/kTF2W9K65JqZMYyhvpenV5c0alsfevSwLypckA/0K 1bwu/Rs0VAQP1iMRNkJ1C4rQ4x116PdGaGjRpcMN0iBxDWORsMy5MlHYhkqXoSsR/djvDlUfNYF nqXOK+yS05n5L3x68DX0qG3ZwH/2Udr+Nz4lNcf+wkIwko7PI4lnrXr+ozWyTaD3u/noupzsU1v /ohwQAkfVts0MtEXiUlDSYOQIjJgRKlFtX X-Google-Smtp-Source: AGHT+IHgFIgnXjbgIb4+JyYTzNZokd4+mmwdSL8ID42M2/8DLS9lDyxC3xfYhUwHmsFD8y7QOJlJ/8bUBYo= X-Received: from yumike.c.googlers.com ([fda3:e722:ac3:cc00:3:22c1:c0a8:d2d]) (user=yumike job=sendgmr) by 2002:a05:690c:6ac2:b0:64a:5132:c909 with SMTP id 00721157ae682-658f167fd91mr527017b3.10.1720506214637; Mon, 08 Jul 2024 23:23:34 -0700 (PDT) Date: Tue, 9 Jul 2024 14:23:23 +0800 In-Reply-To: <20240709062326.939083-1-yumike@google.com> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20240709062326.939083-1-yumike@google.com> X-Mailer: git-send-email 2.45.2.803.g4e1b14247a-goog Message-ID: <20240709062326.939083-2-yumike@google.com> Subject: [PATCH ipsec v2 1/4] xfrm: Support crypto offload for inbound IPv6 ESP packets not in GRO path From: Mike Yu To: netdev@vger.kernel.org, steffen.klassert@secunet.com Cc: yumike@google.com, stanleyjhu@google.com, martinwu@google.com, chiachangwang@google.com X-Patchwork-Delegate: kuba@kernel.org IPsec crypt offload supports outbound IPv6 ESP packets, but it doesn't support inbound IPv6 ESP packets. This change enables the crypto offload for inbound IPv6 ESP packets that are not handled through GRO code path. If HW drivers add the offload information to the skb, the packet will be handled in the crypto offload rx code path. Apart from the change in crypto offload rx code path, the change in xfrm_policy_check is also needed. Exampe of RX data path: +-----------+ +-------+ | HW Driver |-->| wlan0 |--------+ +-----------+ +-------+ | v +---------------+ +------+ +------>| Network Stack |-->| Apps | | +---------------+ +------+ | | | v +--------+ +------------+ | ipsec1 |<--| XFRM Stack | +--------+ +------------+ Test: Enabled both in/out IPsec crypto offload, and verified IPv6 ESP packets on Android device on both wifi/cellular network Signed-off-by: Mike Yu --- net/xfrm/xfrm_input.c | 2 +- net/xfrm/xfrm_policy.c | 5 ++++- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/net/xfrm/xfrm_input.c b/net/xfrm/xfrm_input.c index d2ea18dcb0cb..ba8deb0235ba 100644 --- a/net/xfrm/xfrm_input.c +++ b/net/xfrm/xfrm_input.c @@ -471,7 +471,7 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type) struct xfrm_offload *xo = xfrm_offload(skb); struct sec_path *sp; - if (encap_type < 0 || (xo && xo->flags & XFRM_GRO)) { + if (encap_type < 0 || (xo && (xo->flags & XFRM_GRO || encap_type == 0))) { x = xfrm_input_state(skb); if (unlikely(x->dir && x->dir != XFRM_SA_DIR_IN)) { diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c index 6603d3bd171f..2a9a31f2a9c1 100644 --- a/net/xfrm/xfrm_policy.c +++ b/net/xfrm/xfrm_policy.c @@ -3718,12 +3718,15 @@ int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, pol = xfrm_in_fwd_icmp(skb, &fl, family, if_id); if (!pol) { + const bool is_crypto_offload = sp && + (xfrm_input_state(skb)->xso.type == XFRM_DEV_OFFLOAD_CRYPTO); + if (net->xfrm.policy_default[dir] == XFRM_USERPOLICY_BLOCK) { XFRM_INC_STATS(net, LINUX_MIB_XFRMINNOPOLS); return 0; } - if (sp && secpath_has_nontransport(sp, 0, &xerr_idx)) { + if (sp && secpath_has_nontransport(sp, 0, &xerr_idx) && !is_crypto_offload) { xfrm_secpath_reject(xerr_idx, skb, &fl); XFRM_INC_STATS(net, LINUX_MIB_XFRMINNOPOLS); return 0; From patchwork Tue Jul 9 06:23:24 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mike Yu X-Patchwork-Id: 13727303 X-Patchwork-Delegate: kuba@kernel.org Received: from mail-yb1-f202.google.com (mail-yb1-f202.google.com [209.85.219.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id BA61E12D1FC for ; Tue, 9 Jul 2024 06:23:39 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.219.202 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1720506221; cv=none; b=uUBkMt8idbRClyw+jV/Zfhh869GpddpZNFrYCWxIk8Xz/RuxqkVRkySuxr/px6JP4DQ52DwEBynjA74yaonjumyfzIVwjRy5eH/KjZnLGDg0cyeWCnWN0ocsgfV/Jg3jEZJBcMKU3p0dEoZNK+v3Yoeujxf72IDQ7/CKWBsRPxY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1720506221; c=relaxed/simple; bh=VmaOxrMDoxpJeQU1U5hafB/Lf4mftJY8KRF5RJ2sdGg=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=Te1XuYHF+sy2KFzFoExE0NSEzjFeKzsmnLmZvq5uk/MPbJo06fwLnsUDVIreFyOgEqGrwj/6zaQwr7KWxlD6wfuLYSNsz7Vk3HPHpZI/v6YICOb6Uaz5Xd9ydCn5UEgelCx9bhsQzKCMKNRjapUUJ770e4WvmEXH4cOUwJfUPiw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--yumike.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=uHImyF0G; arc=none smtp.client-ip=209.85.219.202 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--yumike.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="uHImyF0G" Received: by mail-yb1-f202.google.com with SMTP id 3f1490d57ef6-dfab38b7f6bso7499832276.0 for ; Mon, 08 Jul 2024 23:23:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1720506219; x=1721111019; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=XYup63ShssTSYOcnVn9rka8+8qfRXpQa81RERIvxbCs=; b=uHImyF0GARqD9vnwqGA9s7uGcfDNxJoufT1Y+ZxFBKNFhZEDene7O90X0sMNKk4gg1 MWWDPDEBQqxOdSh0gSqre2uZzmKh2wFLaxx1ldCJhO8ofr9EMGgnQFGhMlqJJe9T88QW TmoeoffrlGQ8ff1OiKcjte5esRRmdxyv+1HiJIIdxBMk/EtgrGIH8C4XCF0ESkG5d7uC bZglxBRmWC/3724/FbH4wO2S29wuyXIJQJ2xj4DNjm2yzGkMxXOCbwDOP/SeUOosc1qf M/SZILxwjJzdsBRQrscjmup9TvKLm+4VKMtnxleUUCdhKYe1OvvXLKPpf7cp1Rrv65Qp 3BhQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1720506219; x=1721111019; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=XYup63ShssTSYOcnVn9rka8+8qfRXpQa81RERIvxbCs=; b=nCZ3rqsPWnfumznMBh7z6r8Bm+6KMXU0fZ1+0kW2m7HXXoQNzRDOVh+GzyPzvBMd4Y 5h3pkpOpT5vraO09OuWaARVaiO5ql/dr5T5gkd4l7/jepY65mteWCqKLksaJDlRVuQz5 pNeaDk2f/DvcouF2BtHXyNTL+qd0OpkorbZ2rst3HK5d0qpZMhsn+qbx1YFql9sTie8n bui4AX7A3Obevsx6WZUTjWCkO6/5A/Djnluu2u8I4+DSRrGyBYvCyxOISyUeL0VydZVh ZcGZjoPArVC/tq94T3d7UVGTSKQOJ7Mni0J4KqhBLn7zu+5dyAQZeUjl+5e1YNVMtxvw D0tg== X-Gm-Message-State: AOJu0YyVfH+UbwUkA7LixcTEMLjhF3Y3yDibORW8tMIintmLp65sSgHz lZ+7zgz/Pvwi/5Rh6gC+caYMu1N2fWj8ilJ+gcfR8AbAVAqgze4nedPFE2MYEuXVfw7/ksRTerW w2efHmqxBCqDYx7T779IdOH9qboR6uTtXZS7uP1EBKJV/SMYQF41ZmqlTXAn6mlAXdGLHnFwTiQ rt2jqBE7GoG5uiTRIUs7EdWSPApL3onsG/ X-Google-Smtp-Source: AGHT+IFUI+DUmECIiEP6CXZ0En4MC8rKFUHOQCwm/gu4ExfrM3dMGvAJRb2eJgkcDt3G+fSpdMJPriMg5I0= X-Received: from yumike.c.googlers.com ([fda3:e722:ac3:cc00:3:22c1:c0a8:d2d]) (user=yumike job=sendgmr) by 2002:a05:6902:18cd:b0:e03:3f26:b758 with SMTP id 3f1490d57ef6-e041b0594d9mr163281276.4.1720506218701; Mon, 08 Jul 2024 23:23:38 -0700 (PDT) Date: Tue, 9 Jul 2024 14:23:24 +0800 In-Reply-To: <20240709062326.939083-1-yumike@google.com> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20240709062326.939083-1-yumike@google.com> X-Mailer: git-send-email 2.45.2.803.g4e1b14247a-goog Message-ID: <20240709062326.939083-3-yumike@google.com> Subject: [PATCH ipsec v2 2/4] xfrm: Allow UDP encapsulation in crypto offload control path From: Mike Yu To: netdev@vger.kernel.org, steffen.klassert@secunet.com Cc: yumike@google.com, stanleyjhu@google.com, martinwu@google.com, chiachangwang@google.com X-Patchwork-Delegate: kuba@kernel.org Unblock this limitation so that SAs with encapsulation specified can be passed to HW drivers. HW drivers can still reject the SA in their implementation of xdo_dev_state_add if the encapsulation is not supported. Test: Verified on Android device Signed-off-by: Mike Yu --- net/xfrm/xfrm_device.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/net/xfrm/xfrm_device.c b/net/xfrm/xfrm_device.c index 2455a76a1cff..9a44d363ba62 100644 --- a/net/xfrm/xfrm_device.c +++ b/net/xfrm/xfrm_device.c @@ -261,9 +261,9 @@ int xfrm_dev_state_add(struct net *net, struct xfrm_state *x, is_packet_offload = xuo->flags & XFRM_OFFLOAD_PACKET; - /* We don't yet support UDP encapsulation and TFC padding. */ - if ((!is_packet_offload && x->encap) || x->tfcpad) { - NL_SET_ERR_MSG(extack, "Encapsulation and TFC padding can't be offloaded"); + /* We don't yet support TFC padding. */ + if (x->tfcpad) { + NL_SET_ERR_MSG(extack, "TFC padding can't be offloaded"); return -EINVAL; } From patchwork Tue Jul 9 06:23:25 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mike Yu X-Patchwork-Id: 13727304 X-Patchwork-Delegate: kuba@kernel.org Received: from mail-yw1-f201.google.com (mail-yw1-f201.google.com [209.85.128.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id ED90B137775 for ; Tue, 9 Jul 2024 06:23:43 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1720506225; cv=none; b=m8NkX0mptrdh+Lfbd0FSO6yq6RRBn3kKKJ1P815/X1kYx5JPIF5oHzQUL0jvdL6IDB2O3gYDLBRTL4BWht+g55hetFdey//SjN8CuyX7a8LhsMo6zjXszfMFBL7SNHjpN/RxYE3N5oKtiJOIjF8zGfM9kJupd66C8X2tsA57SZ4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1720506225; c=relaxed/simple; bh=t+fd8Ua0W5SAGhCz1imNDwt9NMPjurfkPT2IJFivpaU=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=gALDWQrl5NHFFu0q22zmiA/xRTwgddjeySwelPk0dWLKwYC4gp1oQYHn0WIf1FdeGFQvd4eAgkknL66arRdbAe4RDSS8kypJ2Ri+EUZ9HO1jJMFT9AdN9DrqmNwJSKvDl0Sj29jBnr9eCiVzyaGPBY/U+Q/NV8ZotjKCUVtymbc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--yumike.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=oHo7Jb1Y; arc=none smtp.client-ip=209.85.128.201 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--yumike.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="oHo7Jb1Y" Received: by mail-yw1-f201.google.com with SMTP id 00721157ae682-6533680c788so72572047b3.1 for ; Mon, 08 Jul 2024 23:23:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1720506223; x=1721111023; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=pMWw3T7z9YrPkDclPYswq8+OgJBIlNt5StLoSoxGAIs=; b=oHo7Jb1YbxGoD0tPfw47ineNbMGSdGGkKd5xr6oNDLvjtGgokwVgmQY9RrCecPAnRV h7VrlRpAUw3C2FZ4YAjiqW3rZOj+9golUp5OEuvFvducRIOTNvIYoNvIIRj2otDHM6O3 so9aR32M0wGJX5+DpsG1R+CLdS/TwLuys9wy/lIiINhrS553MP8UIxATPaK/gxN1yCoc FLVIC/ibjaC1VzaHXRhF7ehmL6WJ19GvLTDS6AlZGrE7T090xNw3fQPlhFGg8fB6L7Vj jy7vq1Bwic6A104IQw6KzmBF3QAxs1SErrieEsFKb4UPGnwwGtVaJjIT9CPL5A0MInoZ w/og== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1720506223; x=1721111023; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=pMWw3T7z9YrPkDclPYswq8+OgJBIlNt5StLoSoxGAIs=; b=uN9ZxMhCMC5D2wNil8sl8yz+DhzY0jE1U49VgjGDqlZQkqdnmt3mKYYy2q85A8CUdN kcvogw4CR0wObuwcmUkI3qlwcuWoYHOxqXtv7J7FjdPvxcDSvgdXN+H2S1wYX/1oVhQy ko/5hCOWZfiT4PBOJbW+QDOlmUuBRRSomPWsqA+vb+1tfgekdOWbr51zqpXZtOY2eoZC cflZFkmmEcReJIJUAvnaz1zzsi0sM/KZj5xuRH0bDjUxJkFMn3m7JctKqFKCmy6W+nGq oKbKw+8mx8JaEM2JA45xdcsJqD7ykHNtTYz87Q7c+pDHzZQ9zMJD9vVOq6/woOe2W2C5 6Bsg== X-Gm-Message-State: AOJu0YwM/N6ZfKhupW5qUnq/pMuiW0C3RL7X+MmBqlrWTLkro6TlgJRp mr2ZdDPvYmgN/TR+xDFSErLIiC0IsyrmiF2hqaG/7/6QzUD8s/QLZops9mknQEYuKHWrIXlg/QC 57CZoxRJZ+qYw/kl2347/fCXIH91VU77ki1jn9D+o8kUgTJFN+gvKx399CKOkh1/ofZWwBSNeUA U5ytoCfdhxgXOThZFQcBJv62UtJXJlfDPt X-Google-Smtp-Source: AGHT+IHPpeDLNCBts05+o/XW59Eao4ZQMCpwpvyOtSLQ/KQvy6xCAl0xwAV9TrWqrZBn/HO5o9W+PbkZ2JM= X-Received: from yumike.c.googlers.com ([fda3:e722:ac3:cc00:3:22c1:c0a8:d2d]) (user=yumike job=sendgmr) by 2002:a05:690c:63c8:b0:650:93e3:fe73 with SMTP id 00721157ae682-658f01f4f68mr335067b3.5.1720506222424; Mon, 08 Jul 2024 23:23:42 -0700 (PDT) Date: Tue, 9 Jul 2024 14:23:25 +0800 In-Reply-To: <20240709062326.939083-1-yumike@google.com> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20240709062326.939083-1-yumike@google.com> X-Mailer: git-send-email 2.45.2.803.g4e1b14247a-goog Message-ID: <20240709062326.939083-4-yumike@google.com> Subject: [PATCH ipsec v2 3/4] xfrm: Support crypto offload for inbound IPv4 UDP-encapsulated ESP packet From: Mike Yu To: netdev@vger.kernel.org, steffen.klassert@secunet.com Cc: yumike@google.com, stanleyjhu@google.com, martinwu@google.com, chiachangwang@google.com X-Patchwork-Delegate: kuba@kernel.org If xfrm_input() is called with UDP_ENCAP_ESPINUDP, the packet is already processed in UDP layer that removes the UDP header. Therefore, there should be no much difference to treat it as an ESP packet in the XFRM stack. Test: Enabled dir=in IPsec crypto offload, and verified IPv4 UDP-encapsulated ESP packets on both wifi/cellular network Signed-off-by: Mike Yu --- net/xfrm/xfrm_input.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/net/xfrm/xfrm_input.c b/net/xfrm/xfrm_input.c index ba8deb0235ba..7cee9c0a2cdc 100644 --- a/net/xfrm/xfrm_input.c +++ b/net/xfrm/xfrm_input.c @@ -471,7 +471,8 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type) struct xfrm_offload *xo = xfrm_offload(skb); struct sec_path *sp; - if (encap_type < 0 || (xo && (xo->flags & XFRM_GRO || encap_type == 0))) { + if (encap_type < 0 || (xo && (xo->flags & XFRM_GRO || encap_type == 0 || + encap_type == UDP_ENCAP_ESPINUDP))) { x = xfrm_input_state(skb); if (unlikely(x->dir && x->dir != XFRM_SA_DIR_IN)) { From patchwork Tue Jul 9 06:23:26 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mike Yu X-Patchwork-Id: 13727305 X-Patchwork-Delegate: kuba@kernel.org Received: from mail-yb1-f201.google.com (mail-yb1-f201.google.com [209.85.219.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 912AB137775 for ; Tue, 9 Jul 2024 06:23:47 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.219.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1720506229; cv=none; b=C+SorTJNVnUeH8FBOYPMJn07TvxIgvspWniY7MAIjayJ0egV8SOvmaRkzwjIAdUg7cpu1i0jnAbSE//qpJtJzTPke5NPeCvCDusg/cBIGtPnosAmYpQuAyjYNXTins+dTJZAUrilbO6DRDt6A4+/bHdVBjTU8xLD0KrJ3L7dIUM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1720506229; c=relaxed/simple; bh=fvpTZTkC0144XgY0xDFgf+dUI0rwkqhzRTfazGyTAg8=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=c5/mtlQtNeUCg7A5rZWBj4zGvi013dOHilcjV3X+2Epc75q/4LMn02D6PVdaQG0wxOCvEZOdEpwhPnPi5Y1e00YqPU5JGnQG6To+SCh9NNg/fTD0WRjDJKkEHoX85YDG3YXG2TpPFKrBaXzzcwOutlDmPmLQm1Ku65DeqUUIncw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--yumike.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=uw83fab+; arc=none smtp.client-ip=209.85.219.201 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--yumike.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="uw83fab+" Received: by mail-yb1-f201.google.com with SMTP id 3f1490d57ef6-e0360f8d773so8354760276.3 for ; Mon, 08 Jul 2024 23:23:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1720506226; x=1721111026; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=MZHu+GdNMiKtnxtQETzAPgrNeDiM2cwjRzDmck39LRE=; b=uw83fab+qBjCPZ9pnPtM1vup1MG2b6DQoWeCw+k8OnEbEO1xDrZ1tnEyErqU4Y69Hm UUoNHuLXfBdDcF6oTCRmD4AxTF4VmQbogP/eZt4lbfCUAspssKQsGbmApHXSNmso58Ee Ap13LouGdnZQjhCtguC5N4hX9M/BGuNdZtodTHUUWSuaqKDTVaFxfIHXYe/5UePVrNgn ej1GSF87aKmfSjy2JuF2dqKYepEujiJNOyZWTvNKNbTiahq6b1KyvJY7Jh/PpM8NHKAL M2bAgbyw4BVBwy6/RTAFEoHd1jHdlsOxlmXvAcy3WAmLIolBEj25ZjCANwXInagdZLGy DLuA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1720506226; x=1721111026; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=MZHu+GdNMiKtnxtQETzAPgrNeDiM2cwjRzDmck39LRE=; b=xGno7AJgj2gpFsvOAbGXDYzSh3H3LxZIt15fTpQmY58MZvokzIWcX2z7w24AHrLIJZ tjWwlKmSHjnGV5P+WL6la/LXbndU0rPWLnB5XNhspla+2Jw7x9LzAr7ks5A7GrDgybev edKtzlcwH9cyM54TRHAKongEmi07VTV+vAbgViEGlEpTHgrrO+DdFey/WSNSjEv2+SbT q/6f4/nsXgozg6GBGg+i3mbXKkgfIwdO4r4sotlXSjWA+ZfFXAQ3h+1iL1AL1Ll/YFtp OKi5X6Sg0XVJULZIKMIfK60EeuCfApmPbEcsI/gsa2BE5lUypK7EuIaIKL1w8J7e6jtP T0gg== X-Gm-Message-State: AOJu0YyuxUxx77WP4z59FnUiIKtzRHk9Kn0j5KM19dmeuDRFQDMIr1tA C6tbHwF30vNUShJ3V8N7ne9DtLJUfuzELKO1Py6YfTYkoPgqL2WtEX+hRRNcsWRCMipL5NsUL2Z Otbd7MEjyFXZCqBRAGO0gcNT47R1ODbKYSN55qLSShlI9f0EF8cxbzVBl68ZvMTon/TCln5APSX GxATjpo1liUDXYLmkyouDdiL46qj1vz7gI X-Google-Smtp-Source: AGHT+IED3GopilEEe0cFM4fw69eQASb02qJkPFvZd2W9cWpkyzzKNUSEJ33jnzSrdhJkUMw1hhf7n2EOx5c= X-Received: from yumike.c.googlers.com ([fda3:e722:ac3:cc00:3:22c1:c0a8:d2d]) (user=yumike job=sendgmr) by 2002:a05:6902:1007:b0:e03:510d:3b6e with SMTP id 3f1490d57ef6-e041b02f9efmr79205276.3.1720506226368; Mon, 08 Jul 2024 23:23:46 -0700 (PDT) Date: Tue, 9 Jul 2024 14:23:26 +0800 In-Reply-To: <20240709062326.939083-1-yumike@google.com> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20240709062326.939083-1-yumike@google.com> X-Mailer: git-send-email 2.45.2.803.g4e1b14247a-goog Message-ID: <20240709062326.939083-5-yumike@google.com> Subject: [PATCH ipsec v2 4/4] xfrm: Support crypto offload for outbound IPv4 UDP-encapsulated ESP packet From: Mike Yu To: netdev@vger.kernel.org, steffen.klassert@secunet.com Cc: yumike@google.com, stanleyjhu@google.com, martinwu@google.com, chiachangwang@google.com X-Patchwork-Delegate: kuba@kernel.org esp_xmit() is already able to handle UDP encapsulation through the call to esp_output_head(). The missing part in esp_xmit() is to correct the outer IP header. Test: Enabled both dir=in/out IPsec crypto offload, and verified IPv4 UDP-encapsulated ESP packets on both wifi/cellular network Signed-off-by: Mike Yu --- v1->v2: https://lore.kernel.org/all/20240702084452.2259237-5-yumike@google.com - Fix comment style. --- net/ipv4/esp4.c | 8 +++++++- net/ipv4/esp4_offload.c | 15 ++++++++++++++- 2 files changed, 21 insertions(+), 2 deletions(-) diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c index 3968d3f98e08..73981595f062 100644 --- a/net/ipv4/esp4.c +++ b/net/ipv4/esp4.c @@ -349,6 +349,7 @@ static struct ip_esp_hdr *esp_output_udp_encap(struct sk_buff *skb, { struct udphdr *uh; unsigned int len; + struct xfrm_offload *xo = xfrm_offload(skb); len = skb->len + esp->tailen - skb_transport_offset(skb); if (len + sizeof(struct iphdr) > IP_MAX_MTU) @@ -360,7 +361,12 @@ static struct ip_esp_hdr *esp_output_udp_encap(struct sk_buff *skb, uh->len = htons(len); uh->check = 0; - *skb_mac_header(skb) = IPPROTO_UDP; + /* For IPv4 ESP with UDP encapsulation, if xo is not null, the skb is in the crypto offload + * data path, which means that esp_output_udp_encap is called outside of the XFRM stack. + * In this case, the mac header doesn't point to the IPv4 protocol field, so don't set it. + */ + if (!xo || encap_type != UDP_ENCAP_ESPINUDP) + *skb_mac_header(skb) = IPPROTO_UDP; return (struct ip_esp_hdr *)(uh + 1); } diff --git a/net/ipv4/esp4_offload.c b/net/ipv4/esp4_offload.c index b3271957ad9a..60fb58a2e321 100644 --- a/net/ipv4/esp4_offload.c +++ b/net/ipv4/esp4_offload.c @@ -264,6 +264,7 @@ static int esp_xmit(struct xfrm_state *x, struct sk_buff *skb, netdev_features_ struct esp_info esp; bool hw_offload = true; __u32 seq; + int encap_type = 0; esp.inplace = true; @@ -296,8 +297,10 @@ static int esp_xmit(struct xfrm_state *x, struct sk_buff *skb, netdev_features_ esp.esph = ip_esp_hdr(skb); + if (x->encap) + encap_type = x->encap->encap_type; - if (!hw_offload || !skb_is_gso(skb)) { + if (!hw_offload || !skb_is_gso(skb) || (hw_offload && encap_type == UDP_ENCAP_ESPINUDP)) { esp.nfrags = esp_output_head(x, skb, &esp); if (esp.nfrags < 0) return esp.nfrags; @@ -324,6 +327,16 @@ static int esp_xmit(struct xfrm_state *x, struct sk_buff *skb, netdev_features_ esp.seqno = cpu_to_be64(seq + ((u64)xo->seq.hi << 32)); + if (hw_offload && encap_type == UDP_ENCAP_ESPINUDP) { + /* In the XFRM stack, the encapsulation protocol is set to iphdr->protocol by + * setting *skb_mac_header(skb) (see esp_output_udp_encap()) where skb->mac_header + * points to iphdr->protocol (see xfrm4_tunnel_encap_add()). + * However, in esp_xmit(), skb->mac_header doesn't point to iphdr->protocol. + * Therefore, the protocol field needs to be corrected. + */ + ip_hdr(skb)->protocol = IPPROTO_UDP; + } + ip_hdr(skb)->tot_len = htons(skb->len); ip_send_check(ip_hdr(skb));