On Wed, Sep 04, 2024 at 10:41:38AM -0700, Feng Wang wrote:

Hi Leon,

I'm looking at the MLX5 driver to understand how the SA information is
used. In mlx5e_ipsec_handle_tx_skb(), it appears we might leverage the
current MLX5 implementation to verify the xfrm id.
https://elixir.bootlin.com/linux/v6.10/source/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_rxtx.c#L271

During the mlx5e_xfrm_add_state() function, the xfrm ID (x->if_id) is
passed to the driver along with the associated xfrm_state pointer.
Therefore, by checking the if_id within the skb tx function like
mlx5e_ipsec_handle_tx_skb(), we should be able to demonstrate the use
case effectively.

What’s your opinion?

Packet offloaded packets don't pass mlx5e_ipsec_handle_tx_skb() because SKB is
treated as plain text and not encrypted.

In order to support this feature in mlx5, you will need to do two things:
1. Create rule which matches x->if_id in mlx5 flow steering, while
creating SAs (see tx_add_rule()->setup_fte_reg_a()).

This register is used in the transmit steering tables, and is loaded with
the value of flow_table_metadata field in the Ethernet Segment of the WQE.

2. Set x->if_id from SKB in flow_table_metadata to allow HW to catch
these packets. It means change mlx5e datapath to set this value from
SKB.

The first item is easy, just move setup_fte_reg_a() to the right place,
but the second one is more complex as whole packet offload assumption
that we are working with plain text packets.

I'm not even talking about eswitch mode, which will bring more
complexity.

Thanks

Thanks for your help.

Feng