Re: git: ef2a572bf6bd - main - ipsec_offload: kernel infrastructure

From: Kristof Provost <kp_at_FreeBSD.org>
Date: Fri, 19 Jul 2024 14:26:43 UTC
On 12 Jul 2024, at 13:25, Konstantin Belousov wrote:
> The branch main has been updated by kib:
>
> URL: 
> https://cgit.FreeBSD.org/src/commit/?id=ef2a572bf6bdcac97ef29ce631d2f50f938e1ec8
>
> commit ef2a572bf6bdcac97ef29ce631d2f50f938e1ec8
> Author:     Konstantin Belousov <kib@FreeBSD.org>
> AuthorDate: 2021-08-22 19:38:04 +0000
> Commit:     Konstantin Belousov <kib@FreeBSD.org>
> CommitDate: 2024-07-12 04:27:58 +0000
>
>     ipsec_offload: kernel infrastructure
>
>     Inline IPSEC offload moves almost whole IPSEC processing from the
>     CPU/MCU and possibly crypto accelerator, to the network card.
>
>     The transmitted packet content is not touched by CPU during TX
>     operations, kernel only does the required policy and security
>     association lookups to find out that given flow is offloaded, and 
> then
>     packet is transmitted as plain text to the card. For driver 
> convenience,
>     a metadata is attached to the packet identifying SA which must 
> process
>     the packet. Card does encryption of the payload, padding, 
> calculates
>     authentication, and does the reformat according to the policy.
>
>     Similarly, on receive, card does the decapsulation, decryption, 
> and
>     authentification.  Kernel receives the identifier of SA that was
>     used to process the packet, together with the plain-text packet.
>
>     Overall, payload octets are only read or written by card DMA 
> engine,
>     removing a lot of memory subsystem overhead, and saving CPU time 
> because
>     IPSEC algos calculations are avoided.
>
>     If driver declares support for inline IPSEC offload (with the
>     IFCAP2_IPSEC_OFFLOAD capability set and registering method table 
> struct
>     if_ipsec_accel_methods), kernel offers the SPD and SAD to driver.
>     Driver decides which policies and SAs can be offloaded based on
>     hardware capacity, and acks/nacks each SA for given interface to
>     kernel.  Kernel needs to keep this information to make a decision 
> to
>     skip software processing on TX, and to assume processing already 
> done
>     on RX.  This shadow SPD/SAD database of offloads is rooted from
>     policies (struct secpolicy accel_ifps, struct ifp_handle_sp) and 
> SAs
>     (struct secasvar accel_ipfs, struct ifp_handle_sav).
>
>     Some extensions to the PF_KEY socket allow to limit interfaces for
>     which given SP/SA could be offloaded (proposed for offload).  
> Also,
>     additional statistics extensions allow to observe 
> allocation/octet/use
>     counters for specific SA.
>
>     Since SPs and SAs are typically instantiated in non-sleepable 
> context,
>     while offloading them into card is expected to require costly 
> async
>     manipulations of the card state, calls to the driver for offload 
> and
>     termination are executed in the threaded taskqueue.  It also 
> solves
>     the issue of allocating resources needed for the offload database.
>     Neither ipf_handle_sp nor ipf_handle_sav do not add reference to 
> the
>     owning SP/SA, the offload must be terminated before last reference 
> is
>     dropped.  ipsec_accel only adds transient references to ensure 
> safe
>     pointer ownership by taskqueue.
>
>     Maintaining the SA counters for hardware-accelerated packets is 
> the
>     duty of the driver.  The helper 
> ipsec_accel_drv_sa_lifetime_update()
>     is provided to hide accel infrastructure from drivers which would 
> use
>     expected callout to query hardware periodically for updates.
>
>     Reviewed by:    rscheff (transport, stack integration), np
>     Sponsored by:   NVIDIA networking
>     Differential revision:  https://reviews.freebsd.org/D44219
> ---
>  sys/conf/files               |    2 +
>  sys/conf/options             |    1 +
>  sys/modules/ipsec/Makefile   |    5 +-
>  sys/netipsec/ipsec.c         |   17 +
>  sys/netipsec/ipsec.h         |   11 +
>  sys/netipsec/ipsec_input.c   |   11 +
>  sys/netipsec/ipsec_offload.c | 1061 
> ++++++++++++++++++++++++++++++++++++++++++
>  sys/netipsec/ipsec_offload.h |  191 ++++++++
>  sys/netipsec/ipsec_output.c  |   15 +
>  sys/netipsec/ipsec_pcb.c     |   38 +-
>  sys/netipsec/key.c           |  270 ++++++++++-
>  sys/netipsec/key.h           |    6 +
>  sys/netipsec/key_debug.c     |    5 +
>  sys/netipsec/keydb.h         |   14 +
>  14 files changed, 1628 insertions(+), 19 deletions(-)
>
I’m seeing messages like `ipsec_accel_sa_install_newkey: spi 0x1001 
flags 0x40 seq 0` running the test suite now.
Are those stray debug printfs?

Best regards,
Kristof