d/freebsd-nq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

cxgbe(4): Allow a T6 adapter to switch between TOE and NIC TLS mode.

Browse Source 
The hw.cxgbe.kern_tls tunable was used for this in the past and if it
was set then all T6 adapters would be configured for NIC TLS operation
and could not be reconfigured for TOE without a reload.  With this
change ifconfig can be used to manipulate toe and txtls caps like any
other caps.  hw.cxgbe.kern_tls continues to work as usual but its
effects are not permanent any more.

* Enable nic_ktls_ofld in the default configuration file and use the
  firmware instead of direct register manipulation to apply/rollback
  NIC TLS configuration.  This allows the driver to switch the hardware
  between TOE and NIC TLS mode in a safe manner.  Note that the
  configuration is adapter-wide and not per-port.

* Remove the kern_tls config file as it works with 100G T6 cards only
  and leads to firmware crashes with 25G cards.  The configurations
  included with the driver (with the exception of the FPGA configs) are
  supposed to work with all adapters.

Reported by:	Veeresh U.K. at Chelsio
MFC after:	2 weeks
Sponsored by:	Chelsio Communications
Reviewed by:	jhb@
Differential Revision: https://reviews.freebsd.org/D29291
This commit is contained in:
Navdeep Parhar 2021-03-23 18:01:01 -07:00
parent 92d1463e02
commit 15f3355567
9 changed files with 129 additions and 339 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
sys/dev/cxgbe/adapter.h
View File

@ -163,7 +163,7 @@ enum {
ADAP_ERR = (1 << 5),
BUF_PACKING_OK = (1 << 6),
IS_VF = (1 << 7),
KERN_TLS_OK = (1 << 8),
KERN_TLS_ON = (1 << 8), /* HW is configured for KERN_TLS */
CXGBE_BUSY = (1 << 9),
/* port flags */

5
sys/dev/cxgbe/common/common.h
View File

@ -499,6 +499,11 @@ static inline int is_hashfilter(const struct adapter *adap)
return adap->params.hash_filter;
}
static inline int is_ktls(const struct adapter *adap)
{
return adap->cryptocaps & FW_CAPS_CONFIG_TLS_HW;
}
static inline int chip_id(struct adapter *adap)
{
return adap->params.chipid;

4
sys/dev/cxgbe/firmware/t6fw_cfg.txt
View File

@ -161,7 +161,7 @@
nserver = 512
nhpfilter = 0
nhash = 16384
protocol = ofld, rddp, rdmac, iscsi_initiator_pdu, iscsi_target_pdu, iscsi_t10dif, tlskeys, crypto_lookaside
protocol = ofld, rddp, rdmac, iscsi_initiator_pdu, iscsi_target_pdu, iscsi_t10dif, tlskeys, crypto_lookaside, nic_ktls_ofld
tp_l2t = 4096
tp_ddp = 2
tp_ddp_iscsi = 2
@ -273,7 +273,7 @@
[fini]
version = 0x1
checksum = 0xa92352a8
checksum = 0x5fbc0a4a
#
# $FreeBSD$
#

278
sys/dev/cxgbe/firmware/t6fw_cfg_kern_tls.txt
View File

@ -1,278 +0,0 @@
# Firmware configuration file.
#
# Global limits (some are hardware limits, others are due to the firmware).
# nvi = 128 virtual interfaces
# niqflint = 1023 ingress queues with freelists and/or interrupts
# nethctrl = 64K Ethernet or ctrl egress queues
# neq = 64K egress queues of all kinds, including freelists
# nexactf = 512 MPS TCAM entries, can oversubscribe.
[global]
rss_glb_config_mode = basicvirtual
rss_glb_config_options = tnlmapen,hashtoeplitz,tnlalllkp
# PL_TIMEOUT register
pl_timeout_value = 200 # the timeout value in units of us
sge_timer_value = 1, 5, 10, 50, 100, 200 # SGE_TIMER_VALUE* in usecs
reg[0x10c4] = 0x20000000/0x20000000 # GK_CONTROL, enable 5th thread
reg[0x7dc0] = 0x0e2f8849 # TP_SHIFT_CNT
#Tick granularities in kbps
tsch_ticks = 100000, 10000, 1000, 10
filterMode = fragmentation, mpshittype, protocol, vlan, port, fcoe
filterMask = protocol
tp_pmrx = 10, 512
tp_pmrx_pagesize = 64K
# TP number of RX channels (0 = auto)
tp_nrxch = 0
tp_pmtx = 10, 512
tp_pmtx_pagesize = 64K
# TP number of TX channels (0 = auto)
tp_ntxch = 0
# TP OFLD MTUs
tp_mtus = 88, 256, 512, 576, 808, 1024, 1280, 1488, 1500, 2002, 2048, 4096, 4352, 8192, 9000, 9600
# enable TP_OUT_CONFIG.IPIDSPLITMODE and CRXPKTENC
reg[0x7d04] = 0x00010008/0x00010008
# TP_GLOBAL_CONFIG
reg[0x7d08] = 0x00000800/0x00000800 # set IssFromCplEnable
# TP_PC_CONFIG
reg[0x7d48] = 0x00000000/0x00000400 # clear EnableFLMError
# TP_PARA_REG0
reg[0x7d60] = 0x06000000/0x07000000 # set InitCWND to 6
# cluster, lan, or wan.
tp_tcptuning = lan
# LE_DB_CONFIG
reg[0x19c04] = 0x00000000/0x00440000 # LE Server SRAM disabled
# LE IPv4 compression disabled
# LE_DB_HASH_CONFIG
reg[0x19c28] = 0x00800000/0x01f00000 # LE Hash bucket size 8,
# ULP_TX_CONFIG
reg[0x8dc0] = 0x00000104/0x00000104 # Enable ITT on PI err
# Enable more error msg for ...
# TPT error.
# ULP_RX_MISC_FEATURE_ENABLE
#reg[0x1925c] = 0x01003400/0x01003400 # iscsi tag pi bit
# Enable offset decrement after ...
# PI extraction and before DDP
# ulp insert pi source info in DIF
# iscsi_eff_offset_en
#Enable iscsi completion moderation feature
reg[0x1925c] = 0x000041c0/0x000031c0 # Enable offset decrement after
# PI extraction and before DDP.
# ulp insert pi source info in
# DIF.
# Enable iscsi hdr cmd mode.
# iscsi force cmd mode.
# Enable iscsi cmp mode.
# MC configuration
#mc_mode_brc[0] = 1 # mc0 - 1: enable BRC, 0: enable RBC
# PFs 0-3. These get 8 MSI/8 MSI-X vectors each. VFs are supported by
# these 4 PFs only.
[function "0"]
wx_caps = all
r_caps = all
nvi = 1
rssnvi = 0
niqflint = 2
nethctrl = 2
neq = 4
nexactf = 2
cmask = all
pmask = 0x1
[function "1"]
wx_caps = all
r_caps = all
nvi = 1
rssnvi = 0
niqflint = 2
nethctrl = 2
neq = 4
nexactf = 2
cmask = all
pmask = 0x2
[function "2"]
wx_caps = all
r_caps = all
nvi = 1
rssnvi = 0
niqflint = 2
nethctrl = 2
neq = 4
nexactf = 2
cmask = all
pmask = 0x4
[function "3"]
wx_caps = all
r_caps = all
nvi = 1
rssnvi = 0
niqflint = 2
nethctrl = 2
neq = 4
nexactf = 2
cmask = all
pmask = 0x8
# PF4 is the resource-rich PF that the bus/nexus driver attaches to.
# It gets 32 MSI/128 MSI-X vectors.
[function "4"]
wx_caps = all
r_caps = all
nvi = 32
rssnvi = 32
niqflint = 512
nethctrl = 1024
neq = 2048
nqpcq = 8192
nexactf = 456
cmask = all
pmask = all
ncrypto_lookaside = 16
nclip = 320
nethofld = 8192
# TCAM has 6K cells; each region must start at a multiple of 128 cell.
# Each entry in these categories takes 2 cells each. nhash will use the
# TCAM iff there is room left (that is, the rest don't add up to 3072).
nfilter = 48
nserver = 64
nhpfilter = 0
nhash = 524288
protocol = ofld, tlskeys, crypto_lookaside
tp_l2t = 4096
tp_ddp = 2
tp_ddp_iscsi = 2
tp_tls_key = 3
tp_tls_mxrxsize = 17408 # 16384 + 1024, governs max rx data, pm max xfer len, rx coalesce sizes
tp_stag = 2
tp_pbl = 5
tp_rq = 7
tp_srq = 128
# PF5 is the SCSI Controller PF. It gets 32 MSI/40 MSI-X vectors.
# Not used right now.
[function "5"]
nvi = 1
rssnvi = 0
# PF6 is the FCoE Controller PF. It gets 32 MSI/40 MSI-X vectors.
# Not used right now.
[function "6"]
nvi = 1
rssnvi = 0
# The following function, 1023, is not an actual PCIE function but is used to
# configure and reserve firmware internal resources that come from the global
# resource pool.
#
[function "1023"]
wx_caps = all
r_caps = all
nvi = 4
rssnvi = 0
cmask = all
pmask = all
nexactf = 8
nfilter = 16
# For Virtual functions, we only allow NIC functionality and we only allow
# access to one port (1 << PF). Note that because of limitations in the
# Scatter Gather Engine (SGE) hardware which checks writes to VF KDOORBELL
# and GTS registers, the number of Ingress and Egress Queues must be a power
# of 2.
#
[function "0/*"]
wx_caps = 0x82
r_caps = 0x86
nvi = 1
rssnvi = 0
niqflint = 2
nethctrl = 2
neq = 4
nexactf = 2
cmask = all
pmask = 0x1
[function "1/*"]
wx_caps = 0x82
r_caps = 0x86
nvi = 1
rssnvi = 0
niqflint = 2
nethctrl = 2
neq = 4
nexactf = 2
cmask = all
pmask = 0x2
[function "2/*"]
wx_caps = 0x82
r_caps = 0x86
nvi = 1
rssnvi = 0
niqflint = 2
nethctrl = 2
neq = 4
nexactf = 2
cmask = all
pmask = 0x1
[function "3/*"]
wx_caps = 0x82
r_caps = 0x86
nvi = 1
rssnvi = 0
niqflint = 2
nethctrl = 2
neq = 4
nexactf = 2
cmask = all
pmask = 0x2
# MPS has 192K buffer space for ingress packets from the wire as well as
# loopback path of the L2 switch.
[port "0"]
dcb = none
#bg_mem = 25
#lpbk_mem = 25
hwm = 60
lwm = 15
dwm = 30
[port "1"]
dcb = none
#bg_mem = 25
#lpbk_mem = 25
hwm = 60
lwm = 15
dwm = 30
[fini]
version = 0x1
checksum = 0xa737b06f
#
# $FreeBSD$
#

2
sys/dev/cxgbe/t4_clip.c
View File

@ -273,7 +273,7 @@ update_clip_table(struct adapter *sc)
inet_ntop(AF_INET6, &ce->lip, &ip[0],
sizeof(ip));
if (sc->flags & KERN_TLS_OK ||
if (sc->flags & KERN_TLS_ON ||
sc->active_ulds != 0) {
log(LOG_ERR,
"%s: could not add %s (%d)\n",

171
sys/dev/cxgbe/t4_main.c
View File

@ -812,9 +812,12 @@ static int read_card_mem(struct adapter *, int, struct t4_mem_range *);
static int read_i2c(struct adapter *, struct t4_i2c_data *);
static int clear_stats(struct adapter *, u_int);
#ifdef TCP_OFFLOAD
static int toe_capability(struct vi_info *, int);
static int toe_capability(struct vi_info *, bool);
static void t4_async_event(void *, int);
#endif
#ifdef KERN_TLS
static int ktls_capability(struct adapter *, bool);
#endif
static int mod_event(module_t, int, void *);
static int notify_siblings(device_t, int);
@ -1838,7 +1841,7 @@ cxgbe_vi_attach(device_t dev, struct vi_info *vi)
}
#ifdef TCP_OFFLOAD
if (vi->nofldrxq != 0 && (sc->flags & KERN_TLS_OK) == 0)
if (vi->nofldrxq != 0)
ifp->if_capabilities |= IFCAP_TOE;
#endif
#ifdef RATELIMIT
@ -1859,9 +1862,10 @@ cxgbe_vi_attach(device_t dev, struct vi_info *vi)
#endif
ifp->if_hw_tsomaxsegsize = 65536;
#ifdef KERN_TLS
if (sc->flags & KERN_TLS_OK) {
if (is_ktls(sc)) {
ifp->if_capabilities |= IFCAP_TXTLS;
ifp->if_capenable |= IFCAP_TXTLS;
if (sc->flags & KERN_TLS_ON)
ifp->if_capenable |= IFCAP_TXTLS;
}
#endif
@ -2186,8 +2190,15 @@ cxgbe_ioctl(struct ifnet *ifp, unsigned long cmd, caddr_t data)
ifp->if_capenable ^= IFCAP_MEXTPG;
#ifdef KERN_TLS
if (mask & IFCAP_TXTLS)
if (mask & IFCAP_TXTLS) {
int enable = (ifp->if_capenable ^ mask) & IFCAP_TXTLS;
rc = ktls_capability(sc, enable);
if (rc != 0)
goto fail;
ifp->if_capenable ^= (mask & IFCAP_TXTLS);
}
#endif
if (mask & IFCAP_VXLAN_HWCSUM) {
ifp->if_capenable ^= IFCAP_VXLAN_HWCSUM;
@ -4782,47 +4793,36 @@ ktls_tick(void *arg)
uint32_t tstamp;
sc = arg;
tstamp = tcp_ts_getticks();
t4_write_reg(sc, A_TP_SYNC_TIME_HI, tstamp >> 1);
t4_write_reg(sc, A_TP_SYNC_TIME_LO, tstamp << 31);
if (sc->flags & KERN_TLS_ON) {
tstamp = tcp_ts_getticks();
t4_write_reg(sc, A_TP_SYNC_TIME_HI, tstamp >> 1);
t4_write_reg(sc, A_TP_SYNC_TIME_LO, tstamp << 31);
}
callout_schedule_sbt(&sc->ktls_tick, SBT_1MS, 0, C_HARDCLOCK);
}
static void
t4_enable_kern_tls(struct adapter *sc)
static int
t4_config_kern_tls(struct adapter *sc, bool enable)
{
uint32_t m, v;
int rc;
uint32_t param = V_FW_PARAMS_MNEM(FW_PARAMS_MNEM_DEV) |
V_FW_PARAMS_PARAM_X(FW_PARAMS_PARAM_DEV_KTLS_HW) |
V_FW_PARAMS_PARAM_Y(enable ? 1 : 0) |
V_FW_PARAMS_PARAM_Z(FW_PARAMS_PARAM_DEV_KTLS_HW_USER_ENABLE);
m = F_ENABLECBYP;
v = F_ENABLECBYP;
t4_set_reg_field(sc, A_TP_PARA_REG6, m, v);
rc = -t4_set_params(sc, sc->mbox, sc->pf, 0, 1, &param, &param);
if (rc != 0) {
CH_ERR(sc, "failed to %s NIC TLS: %d\n",
enable ? "enable" : "disable", rc);
return (rc);
}
m = F_CPL_FLAGS_UPDATE_EN | F_SEQ_UPDATE_EN;
v = F_CPL_FLAGS_UPDATE_EN | F_SEQ_UPDATE_EN;
t4_set_reg_field(sc, A_ULP_TX_CONFIG, m, v);
if (enable)
sc->flags |= KERN_TLS_ON;
else
sc->flags &= ~KERN_TLS_ON;
m = F_NICMODE;
v = F_NICMODE;
t4_set_reg_field(sc, A_TP_IN_CONFIG, m, v);
m = F_LOOKUPEVERYPKT;
v = 0;
t4_set_reg_field(sc, A_TP_INGRESS_CONFIG, m, v);
m = F_TXDEFERENABLE | F_DISABLEWINDOWPSH | F_DISABLESEPPSHFLAG;
v = F_DISABLEWINDOWPSH;
t4_set_reg_field(sc, A_TP_PC_CONFIG, m, v);
m = V_TIMESTAMPRESOLUTION(M_TIMESTAMPRESOLUTION);
v = V_TIMESTAMPRESOLUTION(0x1f);
t4_set_reg_field(sc, A_TP_TIMER_RESOLUTION, m, v);
sc->flags |= KERN_TLS_OK;
sc->tlst.inline_keys = t4_tls_inline_keys;
sc->tlst.combo_wrs = t4_tls_combo_wrs;
return (rc);
}
#endif
@ -4936,18 +4936,19 @@ set_params__post_init(struct adapter *sc)
#ifdef KERN_TLS
if (sc->cryptocaps & FW_CAPS_CONFIG_TLSKEYS &&
sc->toecaps & FW_CAPS_CONFIG_TOE) {
if (t4_kern_tls != 0)
t4_enable_kern_tls(sc);
else {
/*
* Limit TOE connections to 2 reassembly
* "islands". This is required for TOE TLS
* connections to downgrade to plain TOE
* connections if an unsupported TLS version
* or ciphersuite is used.
*/
t4_tp_wr_bits_indirect(sc, A_TP_FRAG_CONFIG,
V_PASSMODE(M_PASSMODE), V_PASSMODE(2));
/*
* Limit TOE connections to 2 reassembly "islands". This is
* required for TOE TLS connections to downgrade to plain TOE
* connections if an unsupported TLS version or ciphersuite is
* used.
*/
t4_tp_wr_bits_indirect(sc, A_TP_FRAG_CONFIG,
V_PASSMODE(M_PASSMODE), V_PASSMODE(2));
if (is_ktls(sc)) {
sc->tlst.inline_keys = t4_tls_inline_keys;
sc->tlst.combo_wrs = t4_tls_combo_wrs;
if (t4_kern_tls != 0)
t4_config_kern_tls(sc, true);
}
}
#endif
@ -5863,7 +5864,7 @@ adapter_full_init(struct adapter *sc)
t4_intr_enable(sc);
}
#ifdef KERN_TLS
if (sc->flags & KERN_TLS_OK)
if (is_ktls(sc))
callout_reset_sbt(&sc->ktls_tick, SBT_1MS, 0, ktls_tick, sc,
C_HARDCLOCK);
#endif
@ -6753,7 +6754,7 @@ t4_sysctls(struct adapter *sc)
}
#ifdef KERN_TLS
if (sc->flags & KERN_TLS_OK) {
if (is_ktls(sc)) {
/*
* dev.t4nex.0.tls.
*/
@ -11047,7 +11048,7 @@ t4_ioctl(struct cdev *dev, unsigned long cmd, caddr_t data, int fflag,
#ifdef TCP_OFFLOAD
static int
toe_capability(struct vi_info *vi, int enable)
toe_capability(struct vi_info *vi, bool enable)
{
int rc;
struct port_info *pi = vi->pi;
@ -11059,6 +11060,39 @@ toe_capability(struct vi_info *vi, int enable)
return (ENODEV);
if (enable) {
#ifdef KERN_TLS
if (sc->flags & KERN_TLS_ON) {
int i, j, n;
struct port_info *p;
struct vi_info *v;
/*
* Reconfigure hardware for TOE if TXTLS is not enabled
* on any ifnet.
*/
n = 0;
for_each_port(sc, i) {
p = sc->port[i];
for_each_vi(p, j, v) {
if (v->ifp->if_capenable & IFCAP_TXTLS) {
CH_WARN(sc,
"%s has NIC TLS enabled.\n",
device_get_nameunit(v->dev));
n++;
}
}
}
if (n > 0) {
CH_WARN(sc, "Disable NIC TLS on all interfaces "
"associated with this adapter before "
"trying to enable TOE.\n");
return (EAGAIN);
}
rc = t4_config_kern_tls(sc, false);
if (rc)
return (rc);
}
#endif
if ((vi->ifp->if_capenable & IFCAP_TOE) != 0) {
/* TOE is already enabled. */
return (0);
@ -11267,6 +11301,35 @@ uld_active(struct adapter *sc, int uld_id)
}
#endif
#ifdef KERN_TLS
static int
ktls_capability(struct adapter *sc, bool enable)
{
ASSERT_SYNCHRONIZED_OP(sc);
if (!is_ktls(sc))
return (ENODEV);
if (enable) {
if (sc->flags & KERN_TLS_ON)
return (0); /* already on */
if (sc->offload_map != 0) {
CH_WARN(sc,
"Disable TOE on all interfaces associated with "
"this adapter before trying to enable NIC TLS.\n");
return (EAGAIN);
}
return (t4_config_kern_tls(sc, true));
} else {
/*
* Nothing to do for disable. If TOE is enabled sometime later
* then toe_capability will reconfigure the hardware.
*/
return (0);
}
}
#endif
/*
* t = ptr to tunable.
* nc = number of CPUs.

2
sys/dev/cxgbe/t4_sge.c
View File

@ -4419,7 +4419,7 @@ alloc_txq(struct vi_info *vi, struct sge_txq *txq, int idx,
"# of times hardware assisted with inner checksums (VXLAN)");
#ifdef KERN_TLS
if (sc->flags & KERN_TLS_OK) {
if (is_ktls(sc)) {
SYSCTL_ADD_UQUAD(&vi->ctx, children, OID_AUTO,
"kern_tls_records", CTLFLAG_RD, &txq->kern_tls_records,
"# of NIC TLS records transmitted");

2
sys/dev/cxgbe/tom/t4_connect.c
View File

@ -256,7 +256,7 @@ t4_connect(struct toedev *tod, struct socket *so, struct nhop_object *nh,
DONT_OFFLOAD_ACTIVE_OPEN(ENOSYS); /* XXX: implement lagg+TOE */
else
DONT_OFFLOAD_ACTIVE_OPEN(ENOTSUP);
if (sc->flags & KERN_TLS_OK)
if (sc->flags & KERN_TLS_ON)
DONT_OFFLOAD_ACTIVE_OPEN(ENOTSUP);
rw_rlock(&sc->policy_lock);

2
sys/dev/cxgbe/tom/t4_listen.c
View File

@ -538,7 +538,7 @@ t4_listen_start(struct toedev *tod, struct tcpcb *tp)
if (!(inp->inp_vflag & INP_IPV6) &&
IN_LOOPBACK(ntohl(inp->inp_laddr.s_addr)))
return (0);
if (sc->flags & KERN_TLS_OK)
if (sc->flags & KERN_TLS_ON)
return (0);
#if 0
ADAPTER_LOCK(sc);