www.infradead.org Git - users/dwmw2/linux.git/commit

author	Jianbo Liu <jianbol@nvidia.com>
	Thu, 20 Feb 2025 21:39:55 +0000 (23:39 +0200)
committer	Jakub Kicinski <kuba@kernel.org>
	Tue, 25 Feb 2025 02:14:32 +0000 (18:14 -0800)
commit	aa2961e19ff60f2b69c0e35320221f2827d0bac6
tree	a7b56c0a609d315f018ff24df086b0f343c6b822	tree
parent	7d9e292ecd678269fd11ec8d09610fd1eda2742e	commit \| diff

net/mlx5e: Skip IPSec RX policy check for crypto offload

For crypto offload, there is no xfrm policy rule offloaded to
hardware, so no need to continue with policy check for it.

Previously, for crypto offload, the hardware metadata reg c4 is not
used and not changed, but set to ASO_OK(0) before decryption to avoid
garbage data. Then a default rule is added to check ipsec_syndrome and
this register. Packets are forwarded to policy table if succeed, or
drop if fails.

According to hardware document, this register value could be 0, 1.
So a special value (0xAA), which is not used by hardware, is chosen as
an indication for crypto offload. It is set to c4 before decryption.
Then a default rule, which matches on 0xAA (and ipsec_syndrome on 0),
is added, which means packets are done by crypto offload, and
sends them to kernel directly, thus skips the policy check.

Signed-off-by: Jianbo Liu <jianbol@nvidia.com>
Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
Reviewed-by: Patrisious Haddad <phaddad@nvidia.com>
Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
Link: https://patch.msgid.link/20250220213959.504304-6-tariqt@nvidia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>