This feature still relies on some symbols from Verbs and thus the support is only compile if the symbols are available. Only ConnectX-4 Lx INNOVA are security capable.
Signed-off-by: Aviad Yehezkel <avia...@mellanox.com> Signed-off-by: Nelio Laranjeiro <nelio.laranje...@6wind.com> --- doc/guides/nics/mlx5.rst | 9 +++++++++ drivers/net/mlx5/mlx5.c | 32 ++++++++++++++++++++++++++++++++ 2 files changed, 41 insertions(+) diff --git a/doc/guides/nics/mlx5.rst b/doc/guides/nics/mlx5.rst index f9558da89..643c1dd5d 100644 --- a/doc/guides/nics/mlx5.rst +++ b/doc/guides/nics/mlx5.rst @@ -295,6 +295,15 @@ Run-time configuration Enabled by default. +- ``ipsec_en`` parameter [int] + + A nonzero value enables the IPsec feature on the port. + Enabling this feature enables, ``txq_inline`` with a size equal to + RTE_CACHE_LINE_SIZE and disables ``rx_vec_en``, ``tx_vec_en`` and + ``txq_mpw_en``. + + Enabled by default on ConnectX-4 Lx INOVA. + Prerequisites ------------- diff --git a/drivers/net/mlx5/mlx5.c b/drivers/net/mlx5/mlx5.c index e74026caf..0a7e9ac34 100644 --- a/drivers/net/mlx5/mlx5.c +++ b/drivers/net/mlx5/mlx5.c @@ -95,6 +95,9 @@ /* Device parameter to enable hardware Rx vector. */ #define MLX5_RX_VEC_EN "rx_vec_en" +/* Device parameter to enable hardware IPsec offload. */ +#define MLX5_IPSEC_EN "ipsec_en" + /* Default PMD specific parameter value. */ #define MLX5_ARG_UNSET (-1) @@ -128,6 +131,7 @@ struct mlx5_args { int tso; int tx_vec_en; int rx_vec_en; + int ipsec_en; }; /** * Retrieve integer value from environment variable. @@ -438,6 +442,8 @@ mlx5_args_check(const char *key, const char *val, void *opaque) args->tx_vec_en = !!tmp; } else if (strcmp(MLX5_RX_VEC_EN, key) == 0) { args->rx_vec_en = !!tmp; + } else if (strcmp(MLX5_IPSEC_EN, key) == 0) { + args->ipsec_en = !!tmp; } else { WARN("%s: unknown parameter", key); return -EINVAL; @@ -469,6 +475,7 @@ mlx5_args(struct mlx5_args *args, struct rte_devargs *devargs) MLX5_TSO, MLX5_TX_VEC_EN, MLX5_RX_VEC_EN, + MLX5_IPSEC_EN, NULL, }; struct rte_kvargs *kvlist; @@ -528,6 +535,8 @@ mlx5_args_assign(struct priv *priv, struct mlx5_args *args) priv->tx_vec_en = args->tx_vec_en; if (args->rx_vec_en != MLX5_ARG_UNSET) priv->rx_vec_en = args->rx_vec_en; + if (args->ipsec_en != MLX5_ARG_UNSET) + priv->ipsec_en = args->ipsec_en; } /** @@ -556,6 +565,7 @@ mlx5_pci_probe(struct rte_pci_driver *pci_drv, struct rte_pci_device *pci_dev) unsigned int mps; unsigned int cqe_comp; unsigned int tunnel_en = 0; + unsigned int ipsec_en = 0; int idx; int i; struct mlx5dv_context attrs_out; @@ -645,6 +655,13 @@ mlx5_pci_probe(struct rte_pci_driver *pci_drv, struct rte_pci_device *pci_dev) ibv_dev = list[i]; DEBUG("device opened"); +#ifdef HAVE_IBV_IPSEC_SUPPORT + attrs_out.comp_mask |= MLX5DV_CONTEXT_MASK_XFRM_FLAGS; + mlx5dv_query_device(attr_ctx, &attrs_out); + if ((attrs_out.xfrm_flags & MLX5_IPSEC_FLAGS) == MLX5_IPSEC_FLAGS) + ipsec_en = 1; +#endif + DEBUG("Tx/Rx IPsec offload is %ssupported", ipsec_en ? "" : "not "); /* * Multi-packet send is supported by ConnectX-4 Lx PF as well * as all ConnectX-5 devices. @@ -693,6 +710,7 @@ mlx5_pci_probe(struct rte_pci_driver *pci_drv, struct rte_pci_device *pci_dev) .tso = MLX5_ARG_UNSET, .tx_vec_en = MLX5_ARG_UNSET, .rx_vec_en = MLX5_ARG_UNSET, + .ipsec_en = MLX5_ARG_UNSET, }; mlx5_dev[idx].ports |= test; @@ -787,6 +805,7 @@ mlx5_pci_probe(struct rte_pci_driver *pci_drv, struct rte_pci_device *pci_dev) priv->mps = mps; /* Enable MPW by default if supported. */ priv->cqe_comp = cqe_comp; priv->tunnel_en = tunnel_en; + priv->ipsec_en = ipsec_en; /* Enable vector by default if supported. */ priv->tx_vec_en = 1; priv->rx_vec_en = 1; @@ -797,6 +816,19 @@ mlx5_pci_probe(struct rte_pci_driver *pci_drv, struct rte_pci_device *pci_dev) goto port_error; } mlx5_args_assign(priv, &args); + if (priv->ipsec_en) { +#ifndef HAVE_IBV_IPSEC_SUPPORT + priv->ipsec_en = 0; + WARN("IPsec Offload not supported."); +#else /* HAVE_IBV_IPSEC_SUPPORT */ + priv->txq_inline = RTE_CACHE_LINE_SIZE; + priv->txqs_inline = 0; + priv->mps = MLX5_MPW_DISABLED; + priv->tx_vec_en = 0; + priv->rx_vec_en = 0; + WARN("IPsec offload enabled"); +#endif /* HAVE_IBV_IPSEC_SUPPORT */ + } if (ibv_query_device_ex(ctx, NULL, &device_attr_ex)) { ERROR("ibv_query_device_ex() failed"); goto port_error; -- 2.11.0