From patchwork Wed Jan 22 12:09:40 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Chiachang Wang X-Patchwork-Id: 13947236 X-Patchwork-Delegate: kuba@kernel.org Received: from mail-pl1-f202.google.com (mail-pl1-f202.google.com [209.85.214.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 317BD212B02 for ; Wed, 22 Jan 2025 12:10:01 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.202 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1737547803; cv=none; b=DulE3uzTdV74VAXcrhHDNl356gg0GWWeoF8bQqYo6/xlShBTdFD3LAPHuXEBvrgSRDQ3mIBpCCLDoxuC3fYhDSLy99H/CVWn7e9I03oNln//yFE/7viAhB/DgkCcfiY1Vm+oyCcOHZWrvbyzXFXinoTRBM8JYmrlWtOfMG9HBcw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1737547803; c=relaxed/simple; bh=af+kttG6++jnXIgU0u6od/TPSeNYDwF7HPbdBSxFJJw=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=fIKgaAj9fb7t9q76FwP5q1TMBppBXW6Nwrwsovgbpi0h9vdZa8WP0bVqn3jIN6L6HmrpHPLbb5e243ooQL3earOpL27KZ882yLrstII5ebneX7I4vasbieopTC93Fnv0VCAGJgggTj0B8xwBG+UkNeD4m2WekdHuYcLkHTg1KB8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--chiachangwang.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=ZK9UoVp+; arc=none smtp.client-ip=209.85.214.202 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--chiachangwang.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="ZK9UoVp+" Received: by mail-pl1-f202.google.com with SMTP id d9443c01a7336-216717543b7so64558595ad.0 for ; Wed, 22 Jan 2025 04:10:01 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1737547801; x=1738152601; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=00Q4sj2EncvDueDdhm02SyfQwd+04qaoe7JUbyCCFg4=; b=ZK9UoVp+wBRUOSjVnkWK3a1qJ39d3u6HBXLdy3Vbpe+2UJl4/h3e0RgpfSLifGvByT ntEPiPVI8YkbmzAiQtzhvYABGXEXDKvSjBs1Gd+C73N7iJFbUZIFc2jCvuLazb7SP0D8 6MA2XUQ7QFyyYwpPSAGoSK4kOME7SIn0LYdpH40RQcqrZoi3v0uFpo0eGG0IjcAdsuGs bzGzhVDHtPRfjywzjalZn+yWl+gpi9PpddF1eMfzLoHfOwRmFlLZJpVRA2jpSMiwlCVG YwzlAj1w5Zmy7jEynm5JBMGIiHsYvqVRwolL9EKyRsuVQXjHaOc4YHM0wxGa+7T82kI/ JaTw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1737547801; x=1738152601; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=00Q4sj2EncvDueDdhm02SyfQwd+04qaoe7JUbyCCFg4=; b=g9BDL2O80S9FgLbn4z2lzRjWGRgMuPduU/WPu4ppDRsjfQgn2avlO1bUFYDFEfiz4l BDMoUJMHBuEzRQdnKguuEC1W+XmMEfyzhRlzfJ7KdpaNfLtGcevbXVn9lhTcbW2O1JGS CoDaNQKdPnoMO6cgGaTDF7ZL1PvAbCxQcjCqjExlb2yAE7/6PxxEMqx5d6R0q0uQT9ss qOqSzbfsu0TMEy19VnaxNPRhymeXqX7hM5aDjolFXGpww30QAUPEwBLjfUZAFsUEFLxS IR8lgUChcc5H7kMOeXRg/JfDfd+AEScb3ARotx3HFI1yDvOWeI8Oe5mfSTGG07E4RXYJ pTlQ== X-Gm-Message-State: AOJu0YzpHSQqPr0Ra8qMDdJmphGdoxYQbBscawJCxwatlgkROfePuOIr oiJe5O5HkPlsNY7kKPI1SObOxhSxIHa5J1SgqABWrr3ZXWj76bydpF72SGpiKyV1bDPd7li8mlZ wTCsQgtLopVksF74vv9GC3jW5UF+0YFaKPZ5La0zRQzwAWkc5m7RGgC5QT7CBPE2JLK0PYRxYXI aMW6xgo3qf0QKzFx9Q6fyKe8PkYqlpsqgHP8dbA8qInO2zCbXTU/3u8+YL8Oxa18xoUo4VqQ== X-Google-Smtp-Source: AGHT+IHA+bbcqeOXwARX8ykyjCjUEfkXYRI2mAN7mrQBd6QTCx6Ks7eRThGBXJYN9SzBQhMUoCgib+HvH74mEQH5ju1/ X-Received: from plgp10.prod.google.com ([2002:a17:902:ebca:b0:21a:82c7:f2b7]) (user=chiachangwang job=prod-delivery.src-stubby-dispatcher) by 2002:a17:902:e802:b0:212:615f:c1 with SMTP id d9443c01a7336-21c3540a0admr349298275ad.14.1737547801232; Wed, 22 Jan 2025 04:10:01 -0800 (PST) Date: Wed, 22 Jan 2025 12:09:40 +0000 In-Reply-To: <20250122120941.2634198-1-chiachangwang@google.com> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20250122120941.2634198-1-chiachangwang@google.com> X-Mailer: git-send-email 2.48.1.262.g85cc9f2d1e-goog Message-ID: <20250122120941.2634198-2-chiachangwang@google.com> Subject: [PATCH ipsec v1 1/2] xfrm: Update offload configuration during SA updates From: Chiachang Wang To: netdev@vger.kernel.org, steffen.klassert@secunet.com, leonro@nvidia.com Cc: yumike@google.com, stanleyjhu@google.com, chiachangwang@google.com X-Patchwork-Delegate: kuba@kernel.org The offload setting is set to HW when the ipsec session is initialized but cannot be changed until the session is torn down. The session administrator should be able to update the SA via netlink message. This patch ensures that when a SA is updated, the associated offload configuration is also updated. This is necessary to maintain consistency between the SA and the offload device, especially when the device is configured for IPSec offload. Any offload changes to the SA are reflected in the kernel and offload device. Test: Enable both in/out crypto offload, and verify with Android device on WiFi/cellular network, including 1. WiFi + crypto offload -> WiFi + no offload 2. WiFi + no offload -> WiFi + crypto offload 3. Cellular + crypto offload -> Cellular + no offload 4. Cellular + no offload -> Cellular + crypto offload Signed-off-by: Chiachang Wang --- net/xfrm/xfrm_state.c | 24 +++++++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c index 67ca7ac955a3..46d75980eb2e 100644 --- a/net/xfrm/xfrm_state.c +++ b/net/xfrm/xfrm_state.c @@ -2047,7 +2047,8 @@ int xfrm_state_update(struct xfrm_state *x) int err; int use_spi = xfrm_id_proto_match(x->id.proto, IPSEC_PROTO_ANY); struct net *net = xs_net(x); - + struct xfrm_dev_offload *xso; + struct net_device *old_dev; to_put = NULL; spin_lock_bh(&net->xfrm.xfrm_state_lock); @@ -2124,7 +2125,28 @@ int xfrm_state_update(struct xfrm_state *x) __xfrm_state_bump_genids(x1); spin_unlock_bh(&net->xfrm.xfrm_state_lock); } +#ifdef CONFIG_XFRM_OFFLOAD + x1->type_offload = x->type_offload; + + if (memcmp(&x1->xso, &x->xso, sizeof(x1->xso))) { + old_dev = x1->xso.dev; + memcpy(&x1->xso, &x->xso, sizeof(x1->xso)); + + if (old_dev) + old_dev->xfrmdev_ops->xdo_dev_state_delete(x1); + + if (x1->xso.dev) { + xso = &x1->xso; + netdev_hold(xso->dev, &xso->dev_tracker, GFP_ATOMIC); + err = xso->dev->xfrmdev_ops->xdo_dev_state_add(x1, NULL); + if (err) { + netdev_put(xso->dev, &xso->dev_tracker); + goto fail; + } + } + } +#endif err = 0; x->km.state = XFRM_STATE_DEAD; __xfrm_state_put(x); From patchwork Wed Jan 22 12:09:41 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Chiachang Wang X-Patchwork-Id: 13947237 X-Patchwork-Delegate: kuba@kernel.org Received: from mail-pl1-f202.google.com (mail-pl1-f202.google.com [209.85.214.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4577C212B2F for ; Wed, 22 Jan 2025 12:10:08 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.202 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1737547809; cv=none; b=pzmOWOJkVtpLLPCxAh34ABjxe1KrrcCDqAAFBrbDfqaL/+1nGNDjSqlD1Bzz7y1qYzTQ5Y9pN8pqD+ZsSRGU2s5o4c3izU14tjoWqMkpkXnVbkXJ2EXBAsQDg1zdDovtHJ6YoJbEWpMATfeO44tPgSPGyng3kFfRxGjp4fa5E5o= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1737547809; c=relaxed/simple; bh=Hps69/IS2HkOWr8gqmXzaSwlR4Gw7DaBy9JYLGn2kXQ=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=YW1wtzfH8iNFgujZenboSm/uAgSW6dbA01Zzr/dwmEvw3vJai80TdFCWtAVC9W54tW+mfa4RDkv655/0p4gywAhdcWZfLNZ3k8TEoXvYviAVOdulgdq0JdNvkPkKFiAHm/uHNutaxa1sD5tcE4NrpWZW1qXcJoeUeXIIsVow5mA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--chiachangwang.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=q3X0nJZV; arc=none smtp.client-ip=209.85.214.202 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--chiachangwang.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="q3X0nJZV" Received: by mail-pl1-f202.google.com with SMTP id d9443c01a7336-21681a2c0d5so124966175ad.2 for ; Wed, 22 Jan 2025 04:10:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1737547808; x=1738152608; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=RGCAkzJUCKIA/A/I7FRqDQ8jZW+LutmOvzFJmI3KsrI=; b=q3X0nJZVVuPT4JJKrxbkd6GKTNONCS4lS3eJV3Nje7LgBf8ticyf0go9zJsgzQyO0s ub9OcRiJaphFyFTC4P+X4fOF92vz7ErnRxRYs3CeTMoZwrYYfOXsr9tYjN14uyMqOKWk zRV2+7o0CvQiigpyIHLxza83GAk5tMjEKVtNjPJcbErkrMWq/9Uj+yUkbgXj1wW27gnG pqzhtbuwR2OSrbURQAFbmfxD+FtQScx/SjMHozvEfCigd0a1IYmNZcryZcgsChx9FD+Q iWJQpKAzMI8aQmmhX51NrP838b0L8H7M4NO4KDUmbt8V3kt5DStEF2lZ8jogqAyPZo2P Gpbw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1737547808; x=1738152608; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=RGCAkzJUCKIA/A/I7FRqDQ8jZW+LutmOvzFJmI3KsrI=; b=kCZ9g0m5mF97kdOFFxS+9bOuIYrMQk1TEFrnPeD07XKdf6wKPP0xKsPwqjvcgZFliV wtw7vKGt6xEo4cXgch7VbJ/V3KHqA/yT6H+G5DA52iMrylbLISHOk/Snmq8IQqpLTNN3 v0HPU4TCf2f3netfxTxhCE5FV7qhPSEdyK3BTFsg8I7SFv+QqerOdY6e28KSr6gqSHIy w0q0caqHXMVDkIr28D21izJbHJwG/rT76H4kjndNHjVjRrBOvG5sQ0QBq9euguTSwmT6 k9k6G8i9Uztx00PPP41UIp5yFGMqnukYcjDV8FbpdJTfo3EVAIFOUaicR05ZIE3KF5Vh +2/g== X-Gm-Message-State: AOJu0YwvE/L48B49h1Bd/kTudqqA/ygVQ9AbjhWsc5evOgZ2Mi2ZaXUl 7NuPcAf8UJsdT+cZoF3tVo3jjFCMlF5J8BYqgErmLWjrbXvQrrULG1al+gUqOSroWm6wR077zCn x2ui4pvB2VouN4nm3YqYgRnA0PBYLWr/793vAeGfqhwVgfNv9AoS6kZdpjj2xWUSvqZXV2d/xzn XUgYsvln4lbn8Ai/BNCHTotrNFv0dT1XKv5oBBu02ri/eMhg+4u4ZBqvYN5DMxIHeHHC1D0A== X-Google-Smtp-Source: AGHT+IHjQUTdi6rs7qCNVsG2ci/YrJttEgNBRKMRECoAafvCPWu/CvL6397zg6CWolHgnFJStsq9B521mlakQsbEZ6zg X-Received: from plgk16.prod.google.com ([2002:a17:902:ce10:b0:216:eefe:2c35]) (user=chiachangwang job=prod-delivery.src-stubby-dispatcher) by 2002:a17:903:2a88:b0:215:9894:5679 with SMTP id d9443c01a7336-21c34ccef5fmr315335595ad.0.1737547807728; Wed, 22 Jan 2025 04:10:07 -0800 (PST) Date: Wed, 22 Jan 2025 12:09:41 +0000 In-Reply-To: <20250122120941.2634198-1-chiachangwang@google.com> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20250122120941.2634198-1-chiachangwang@google.com> X-Mailer: git-send-email 2.48.1.262.g85cc9f2d1e-goog Message-ID: <20250122120941.2634198-3-chiachangwang@google.com> Subject: [PATCH ipsec v1 2/2] xfrm: Migrate offload configuration From: Chiachang Wang To: netdev@vger.kernel.org, steffen.klassert@secunet.com, leonro@nvidia.com Cc: yumike@google.com, stanleyjhu@google.com, chiachangwang@google.com X-Patchwork-Delegate: kuba@kernel.org If the SA contains offload configuration, the migration path should update the SA as well. This change supports SA migration with the offload attribute configured. This allows the device to migrate with offload configuration. Test: Endable both in/out IPSec crypto offload, and verify with Android device on both WiFi/cellular network, including: 1. WiFi + offload -> Cellular + offload 2. WiFi + offload -> Cellular + no offload 3. WiFi + no offload -> Cellular + offload 4. Wifi + no offload -> Cellular + no offload 5. Cellular + offload -> WiFi + offload 6. Cellular + no offload -> WiFi + offload 7. Cellular + offload -> WiFi + no offload 8. Cell + no offload -> WiFi + no offload Signed-off-by: Chiachang Wang --- include/net/xfrm.h | 8 ++++++-- net/xfrm/xfrm_policy.c | 4 ++-- net/xfrm/xfrm_state.c | 14 +++++++++++--- net/xfrm/xfrm_user.c | 15 +++++++++++++-- 4 files changed, 32 insertions(+), 9 deletions(-) diff --git a/include/net/xfrm.h b/include/net/xfrm.h index 32c09e85a64c..a1359f912298 100644 --- a/include/net/xfrm.h +++ b/include/net/xfrm.h @@ -1822,12 +1822,16 @@ struct xfrm_state *xfrm_migrate_state_find(struct xfrm_migrate *m, struct net *n u32 if_id); struct xfrm_state *xfrm_state_migrate(struct xfrm_state *x, struct xfrm_migrate *m, - struct xfrm_encap_tmpl *encap); + struct xfrm_encap_tmpl *encap, + struct net *net, + struct xfrm_user_offload *xuo, + struct netlink_ext_ack *extack); int xfrm_migrate(const struct xfrm_selector *sel, u8 dir, u8 type, struct xfrm_migrate *m, int num_bundles, struct xfrm_kmaddress *k, struct net *net, struct xfrm_encap_tmpl *encap, u32 if_id, - struct netlink_ext_ack *extack); + struct netlink_ext_ack *extack, + struct xfrm_user_offload *xuo); #endif int km_new_mapping(struct xfrm_state *x, xfrm_address_t *ipaddr, __be16 sport); diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c index 4408c11c0835..3f5a06f3f0d2 100644 --- a/net/xfrm/xfrm_policy.c +++ b/net/xfrm/xfrm_policy.c @@ -4622,7 +4622,7 @@ int xfrm_migrate(const struct xfrm_selector *sel, u8 dir, u8 type, struct xfrm_migrate *m, int num_migrate, struct xfrm_kmaddress *k, struct net *net, struct xfrm_encap_tmpl *encap, u32 if_id, - struct netlink_ext_ack *extack) + struct netlink_ext_ack *extack, struct xfrm_user_offload *xuo) { int i, err, nx_cur = 0, nx_new = 0; struct xfrm_policy *pol = NULL; @@ -4655,7 +4655,7 @@ int xfrm_migrate(const struct xfrm_selector *sel, u8 dir, u8 type, if ((x = xfrm_migrate_state_find(mp, net, if_id))) { x_cur[nx_cur] = x; nx_cur++; - xc = xfrm_state_migrate(x, mp, encap); + xc = xfrm_state_migrate(x, mp, encap, net, xuo, extack); if (xc) { x_new[nx_new] = xc; nx_new++; diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c index 46d75980eb2e..2fdb4ea97844 100644 --- a/net/xfrm/xfrm_state.c +++ b/net/xfrm/xfrm_state.c @@ -2007,22 +2007,30 @@ EXPORT_SYMBOL(xfrm_migrate_state_find); struct xfrm_state *xfrm_state_migrate(struct xfrm_state *x, struct xfrm_migrate *m, - struct xfrm_encap_tmpl *encap) + struct xfrm_encap_tmpl *encap, + struct net *net, + struct xfrm_user_offload *xuo, + struct netlink_ext_ack *extack) { struct xfrm_state *xc; - + bool offload = (xuo); xc = xfrm_state_clone(x, encap); if (!xc) return NULL; xc->props.family = m->new_family; - if (xfrm_init_state(xc) < 0) + if (__xfrm_init_state(xc, true, offload, NULL) < 0) goto error; + x->km.state = XFRM_STATE_VALID; memcpy(&xc->id.daddr, &m->new_daddr, sizeof(xc->id.daddr)); memcpy(&xc->props.saddr, &m->new_saddr, sizeof(xc->props.saddr)); + /* configure the hardware if offload is requested */ + if (offload & xfrm_dev_state_add(net, xc, xuo, extack)) + goto error; + /* add state */ if (xfrm_addr_equal(&x->id.daddr, &m->new_daddr, m->new_family)) { /* a care is needed when the destination address of the diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c index b2876e09328b..505ae2427822 100644 --- a/net/xfrm/xfrm_user.c +++ b/net/xfrm/xfrm_user.c @@ -2989,6 +2989,7 @@ static int xfrm_do_migrate(struct sk_buff *skb, struct nlmsghdr *nlh, int n = 0; struct net *net = sock_net(skb->sk); struct xfrm_encap_tmpl *encap = NULL; + struct xfrm_user_offload *xuo = NULL; u32 if_id = 0; if (!attrs[XFRMA_MIGRATE]) { @@ -3019,11 +3020,21 @@ static int xfrm_do_migrate(struct sk_buff *skb, struct nlmsghdr *nlh, if (attrs[XFRMA_IF_ID]) if_id = nla_get_u32(attrs[XFRMA_IF_ID]); + if (attrs[XFRMA_OFFLOAD_DEV]) { + xuo = kmemdup(nla_data(attrs[XFRMA_OFFLOAD_DEV]), + sizeof(*xuo), GFP_KERNEL); + if (!xuo) { + err = -ENOMEM; + goto error; + } + } + err = xfrm_migrate(&pi->sel, pi->dir, type, m, n, kmp, net, encap, - if_id, extack); + if_id, extack, xuo); +error: kfree(encap); - + kfree(xuo); return err; } #else