Add basic support for TCP/IP based hardware TLS offload to mlx5core.

The hardware offload is primarily targeted for TLS v1.2 and v1.3,
using AES 128/256 bit pre-shared keys. This patch adds all the needed
hardware structures, capabilites and firmware commands.

Sponsored by:	Mellanox Technologies

sys/conf/files

@@ -4756,6 +4756,8 @@ dev/mlx5/mlx5_core/mlx5_rl.c			optional mlx5 pci	\
 	compile-with "${OFED_C}"
 dev/mlx5/mlx5_core/mlx5_srq.c			optional mlx5 pci	\
 	compile-with "${OFED_C}"
+dev/mlx5/mlx5_core/mlx5_tls.c			optional mlx5 pci	\
+	compile-with "${OFED_C}"
 dev/mlx5/mlx5_core/mlx5_transobj.c		optional mlx5 pci	\
 	compile-with "${OFED_C}"
 dev/mlx5/mlx5_core/mlx5_uar.c			optional mlx5 pci	\

sys/dev/mlx5/device.h

@@ -1,5 +1,5 @@
 /*-
- * Copyright (c) 2013-2018, Mellanox Technologies, Ltd.  All rights reserved.
+ * Copyright (c) 2013-2019, Mellanox Technologies, Ltd.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -381,6 +381,18 @@ enum {
 	MLX5_OPCODE_SIGNATURE_CANCELED	= (1 << 15),
 };
 
+enum {
+	MLX5_OPCODE_MOD_UMR_UMR = 0x0,
+	MLX5_OPCODE_MOD_UMR_TLS_TIS_STATIC_PARAMS = 0x1,
+	MLX5_OPCODE_MOD_UMR_TLS_TIR_STATIC_PARAMS = 0x2,
+};
+
+enum {
+	MLX5_OPCODE_MOD_PSV_PSV = 0x0,
+	MLX5_OPCODE_MOD_PSV_TLS_TIS_PROGRESS_PARAMS = 0x1,
+	MLX5_OPCODE_MOD_PSV_TLS_TIR_PROGRESS_PARAMS = 0x2,
+};
+
 enum {
 	MLX5_SET_PORT_RESET_QKEY	= 0,
 	MLX5_SET_PORT_GUID0		= 16,
@@ -919,6 +931,10 @@ enum mlx5_cap_type {
 	MLX5_CAP_VECTOR_CALC,
 	MLX5_CAP_QOS,
 	MLX5_CAP_DEBUG,
+	MLX5_CAP_NVME,
+	MLX5_CAP_DMC,
+	MLX5_CAP_DEC,
+	MLX5_CAP_TLS,
 	/* NUM OF CAP Types */
 	MLX5_CAP_NUM
 };
@@ -951,6 +967,9 @@ enum mlx5_mcam_feature_groups {
 #define MLX5_CAP_GEN(mdev, cap) \
 	MLX5_GET(cmd_hca_cap, mdev->hca_caps_cur[MLX5_CAP_GENERAL], cap)
 
+#define	MLX5_CAP_GEN_64(mdev, cap)					\
+	MLX5_GET64(cmd_hca_cap, mdev->hca_caps_cur[MLX5_CAP_GENERAL], cap)
+
 #define MLX5_CAP_GEN_MAX(mdev, cap) \
 	MLX5_GET(cmd_hca_cap, mdev->hca_caps_max[MLX5_CAP_GENERAL], cap)
 
@@ -1076,6 +1095,9 @@ enum mlx5_mcam_feature_groups {
 #define MLX5_CAP64_FPGA(mdev, cap) \
 	MLX5_GET64(fpga_cap, (mdev)->caps.fpga, cap)
 
+#define	MLX5_CAP_TLS(mdev, cap) \
+	MLX5_GET(tls_capabilities, (mdev)->hca_caps_cur[MLX5_CAP_TLS], cap)
+
 enum {
 	MLX5_CMD_STAT_OK			= 0x0,
 	MLX5_CMD_STAT_INT_ERR			= 0x1,

sys/dev/mlx5/mlx5_core/mlx5_cmd.c

@@ -361,6 +361,7 @@ static int mlx5_internal_err_ret_value(struct mlx5_core_dev *dev, u16 op,
 	case MLX5_CMD_OP_MODIFY_FLOW_TABLE:
 	case MLX5_CMD_OP_SET_FLOW_TABLE_ENTRY:
 	case MLX5_CMD_OP_SET_FLOW_TABLE_ROOT:
+	case MLX5_CMD_OP_DESTROY_GENERAL_OBJ:
 		return MLX5_CMD_STAT_OK;
 
 	case MLX5_CMD_OP_QUERY_HCA_CAP:
@@ -459,6 +460,9 @@ static int mlx5_internal_err_ret_value(struct mlx5_core_dev *dev, u16 op,
 	case MLX5_CMD_OP_CREATE_FLOW_GROUP:
 	case MLX5_CMD_OP_QUERY_FLOW_GROUP:
 	case MLX5_CMD_OP_QUERY_FLOW_TABLE_ENTRY:
+	case MLX5_CMD_OP_CREATE_GENERAL_OBJ:
+	case MLX5_CMD_OP_MODIFY_GENERAL_OBJ:
+	case MLX5_CMD_OP_QUERY_GENERAL_OBJ:
 		*status = MLX5_DRIVER_STATUS_ABORTED;
 		*synd = MLX5_DRIVER_SYND;
 		return -EIO;
@@ -606,6 +610,10 @@ const char *mlx5_command_str(int command)
 	MLX5_COMMAND_STR_CASE(DELETE_FLOW_TABLE_ENTRY);
 	MLX5_COMMAND_STR_CASE(SET_DIAGNOSTICS);
 	MLX5_COMMAND_STR_CASE(QUERY_DIAGNOSTICS);
+	MLX5_COMMAND_STR_CASE(CREATE_GENERAL_OBJ);
+	MLX5_COMMAND_STR_CASE(MODIFY_GENERAL_OBJ);
+	MLX5_COMMAND_STR_CASE(QUERY_GENERAL_OBJ);
+	MLX5_COMMAND_STR_CASE(DESTROY_GENERAL_OBJ);
 	default: return "unknown command opcode";
 	}
 }

sys/dev/mlx5/mlx5_core/mlx5_fw.c

@@ -227,6 +227,12 @@ int mlx5_query_hca_caps(struct mlx5_core_dev *dev)
 			return err;
 	}
 
+	if (MLX5_CAP_GEN(dev, tls)) {
+		err = mlx5_core_get_caps(dev, MLX5_CAP_TLS);
+		if (err)
+			return err;
+	}
+
 	err = mlx5_core_query_special_contexts(dev);
 	if (err)
 		return err;

sys/dev/mlx5/mlx5_core/mlx5_tls.c

@@ -0,0 +1,120 @@
+/*-
+ * Copyright (c) 2019, Mellanox Technologies, Ltd.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY AUTHOR AND CONTRIBUTORS `AS IS' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ */
+
+#include <linux/kernel.h>
+#include <linux/module.h>
+#include <dev/mlx5/driver.h>
+#include <dev/mlx5/tls.h>
+
+#include "mlx5_core.h"
+#include "transobj.h"
+
+int mlx5_encryption_key_create(struct mlx5_core_dev *mdev, u32 pdn,
+    const void *p_key, u32 key_len, u32 *p_obj_id)
+{
+	u32 in[MLX5_ST_SZ_DW(create_encryption_key_in)] = {};
+	u32 out[MLX5_ST_SZ_DW(create_encryption_key_out)] = {};
+	u64 general_obj_types;
+	int err;
+
+	general_obj_types = MLX5_CAP_GEN_64(mdev, general_obj_types);
+	if (!(general_obj_types & MLX5_HCA_CAP_GENERAL_OBJ_TYPES_ENCRYPTION_KEY))
+		return -EINVAL;
+
+	switch (key_len) {
+	case 128 / 8:
+		memcpy(MLX5_ADDR_OF(create_encryption_key_in, in,
+		    encryption_key_object.key[4]), p_key, 128 / 8);
+		MLX5_SET(create_encryption_key_in, in, encryption_key_object.pd, pdn);
+		MLX5_SET(create_encryption_key_in, in, encryption_key_object.key_size,
+			 MLX5_GENERAL_OBJECT_TYPE_ENCRYPTION_KEY_KEY_SIZE_128);
+		MLX5_SET(create_encryption_key_in, in, encryption_key_object.key_type,
+			 MLX5_GENERAL_OBJECT_TYPE_ENCRYPTION_KEY_TYPE_DEK);
+		break;
+	case 256 / 8:
+		memcpy(MLX5_ADDR_OF(create_encryption_key_in, in,
+		    encryption_key_object.key[0]), p_key, 256 / 8);
+		MLX5_SET(create_encryption_key_in, in, encryption_key_object.pd, pdn);
+		MLX5_SET(create_encryption_key_in, in, encryption_key_object.key_size,
+			 MLX5_GENERAL_OBJECT_TYPE_ENCRYPTION_KEY_KEY_SIZE_256);
+		MLX5_SET(create_encryption_key_in, in, encryption_key_object.key_type,
+			 MLX5_GENERAL_OBJECT_TYPE_ENCRYPTION_KEY_TYPE_DEK);
+		break;
+	default:
+		return -EINVAL;
+	}
+
+	MLX5_SET(create_encryption_key_in, in, opcode, MLX5_CMD_OP_CREATE_GENERAL_OBJ);
+	MLX5_SET(create_encryption_key_in, in, obj_type, MLX5_GENERAL_OBJECT_TYPES_ENCRYPTION_KEY);
+
+	err = mlx5_cmd_exec(mdev, in, sizeof(in), out, sizeof(out));
+	if (err == 0)
+		*p_obj_id = MLX5_GET(create_encryption_key_out, out, obj_id);
+
+	/* avoid leaking key on the stack */
+	memset(in, 0, sizeof(in));
+
+	return err;
+}
+
+int mlx5_encryption_key_destroy(struct mlx5_core_dev *mdev, u32 oid)
+{
+	u32 in[MLX5_ST_SZ_DW(destroy_encryption_key_in)] = {};
+	u32 out[MLX5_ST_SZ_DW(destroy_encryption_key_out)] = {};
+
+	MLX5_SET(destroy_encryption_key_in, in, opcode, MLX5_CMD_OP_DESTROY_GENERAL_OBJ);
+	MLX5_SET(destroy_encryption_key_in, in, obj_type, MLX5_GENERAL_OBJECT_TYPES_ENCRYPTION_KEY);
+	MLX5_SET(destroy_encryption_key_in, in, obj_id, oid);
+
+	return mlx5_cmd_exec(mdev, in, sizeof(in), out, sizeof(out));
+}
+
+int mlx5_tls_open_tis(struct mlx5_core_dev *mdev, int tc, int tdn, int pdn, u32 *p_tisn)
+{
+	u32 in[MLX5_ST_SZ_DW(create_tis_in)] = {};
+	void *tisc = MLX5_ADDR_OF(create_tis_in, in, ctx);
+	int err;
+
+	MLX5_SET(tisc, tisc, prio, tc);
+	MLX5_SET(tisc, tisc, transport_domain, tdn);
+	MLX5_SET(tisc, tisc, tls_en, 1);
+	MLX5_SET(tisc, tisc, pd, pdn);
+
+	err = mlx5_core_create_tis(mdev, in, sizeof(in), p_tisn);
+	if (err)
+		return (err);
+	else if (*p_tisn == 0)
+		return (-EINVAL);
+	else
+		return (0);	/* success */
+}
+
+void mlx5_tls_close_tis(struct mlx5_core_dev *mdev, u32 tisn)
+{
+
+	mlx5_core_destroy_tis(mdev, tisn);
+}

sys/dev/mlx5/mlx5_en/en.h

@@ -1059,6 +1059,17 @@ struct mlx5e_tx_wqe {
 	struct mlx5_wqe_eth_seg eth;
 };
 
+struct mlx5e_tx_umr_wqe {
+	struct mlx5_wqe_ctrl_seg ctrl;
+	struct mlx5_wqe_umr_ctrl_seg umr;
+	uint8_t mkc[64];
+};
+
+struct mlx5e_tx_psv_wqe {
+	struct mlx5_wqe_ctrl_seg ctrl;
+	struct mlx5_seg_set_psv psv;
+};
+
 struct mlx5e_rx_wqe {
 	struct mlx5_wqe_srq_next_seg next;
 	struct mlx5_wqe_data_seg data[];

sys/dev/mlx5/mlx5_ifc.h

@@ -1,5 +1,5 @@
 /*-
- * Copyright (c) 2013-2017, Mellanox Technologies, Ltd.  All rights reserved.
+ * Copyright (c) 2013-2019, Mellanox Technologies, Ltd.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -63,6 +63,7 @@ enum {
 	MLX5_EVENT_TYPE_NIC_VPORT_CHANGE                           = 0xd,
 	MLX5_EVENT_TYPE_FPGA_ERROR                                 = 0x20,
 	MLX5_EVENT_TYPE_FPGA_QP_ERROR                              = 0x21,
+	MLX5_EVENT_TYPE_CODING_GENERAL_OBJ_EVENT                   = 0x27,
 };
 
 enum {
@@ -252,6 +253,11 @@ enum {
 	MLX5_CMD_OP_FPGA_QUERY_QP                 = 0x962,
 	MLX5_CMD_OP_FPGA_DESTROY_QP               = 0x963,
 	MLX5_CMD_OP_FPGA_QUERY_QP_COUNTERS        = 0x964,
+	MLX5_CMD_OP_CREATE_GENERAL_OBJ            = 0xa00,
+	MLX5_CMD_OP_MODIFY_GENERAL_OBJ            = 0xa01,
+	MLX5_CMD_OP_QUERY_GENERAL_OBJ             = 0xa02,
+	MLX5_CMD_OP_DESTROY_GENERAL_OBJ           = 0xa03,
+
 };
 
 enum {
@@ -269,6 +275,23 @@ enum {
 	MLX5_ICMD_CMDS_OPCODE_ICMD_OPCODE_INIT_OCSD         = 0xf004
 };
 
+enum {
+	MLX5_GENERAL_OBJECT_TYPES_ENCRYPTION_KEY = 0xc,
+};
+
+enum {
+	MLX5_HCA_CAP_GENERAL_OBJ_TYPES_ENCRYPTION_KEY = 1 << 0xc,
+};
+
+enum {
+	MLX5_GENERAL_OBJECT_TYPE_ENCRYPTION_KEY_KEY_SIZE_128 = 0x0,
+	MLX5_GENERAL_OBJECT_TYPE_ENCRYPTION_KEY_KEY_SIZE_256 = 0x1,
+};
+
+enum {
+	MLX5_GENERAL_OBJECT_TYPE_ENCRYPTION_KEY_TYPE_DEK = 0x1,
+};
+
 struct mlx5_ifc_flow_table_fields_supported_bits {
 	u8         outer_dmac[0x1];
 	u8         outer_smac[0x1];
@@ -1268,7 +1291,17 @@ struct mlx5_ifc_cmd_hca_cap_bits {
 	u8         reserved_61[0x3];
 	u8         log_max_current_uc_list[0x5];
 
-	u8         reserved_62[0x80];
+	u8         general_obj_types[0x40];
+
+	u8         reserved_at_440[0x8];
+	u8         create_qp_start_hint[0x18];
+
+	u8         tls[0x1];
+	u8         reserved_at_461[0x2];
+	u8         log_max_uctx[0x5];
+	u8         reserved_at_468[0x3];
+	u8         log_max_umem[0x5];
+	u8         max_num_eqs[0x10];
 
 	u8         reserved_63[0x3];
 	u8         log_max_l2_table[0x5];
@@ -1287,7 +1320,13 @@ struct mlx5_ifc_cmd_hca_cap_bits {
 	u8         reserved_67[0x10];
 	u8         log_max_atomic_size_dc[0x8];
 
-	u8         reserved_68[0x1f];
+	u8         reserved_at_5a0[0x13];
+	u8         log_max_dek[0x5];
+	u8         reserved_at_5b8[0x4];
+	u8         mini_cqe_resp_stride_index[0x1];
+	u8         cqe_128_always[0x1];
+	u8         cqe_compression_128b[0x1];
+
 	u8         cqe_compression[0x1];
 
 	u8         cqe_compression_timeout[0x10];
@@ -1332,6 +1371,16 @@ struct mlx5_ifc_rx_hash_field_select_bits {
 	u8         selected_fields[0x1e];
 };
 
+struct mlx5_ifc_tls_capabilities_bits {
+	u8         tls_1_2_aes_gcm_128[0x1];
+	u8         tls_1_3_aes_gcm_128[0x1];
+	u8         tls_1_2_aes_gcm_256[0x1];
+	u8         tls_1_3_aes_gcm_256[0x1];
+	u8         reserved_at_4[0x1c];
+
+	u8         reserved_at_20[0x7e0];
+};
+
 enum {
 	MLX5_WQ_TYPE_LINKED_LIST                 = 0x0,
 	MLX5_WQ_TYPE_CYCLIC                      = 0x1,
@@ -2212,7 +2261,8 @@ struct mlx5_ifc_traffic_counter_bits {
 
 struct mlx5_ifc_tisc_bits {
 	u8         strict_lag_tx_port_affinity[0x1];
-	u8         reserved_at_1[0x3];
+	u8         tls_en[0x1];
+	u8         reserved_at_2[0x2];
 	u8         lag_tx_port_affinity[0x04];
 
 	u8         reserved_at_8[0x4];
@@ -2227,7 +2277,10 @@ struct mlx5_ifc_tisc_bits {
 	u8         reserved_4[0x8];
 	u8         underlay_qpn[0x18];
 
-	u8         reserved_5[0x3a0];
+	u8         reserved_5[0x8];
+	u8         pd[0x18];
+
+	u8         reserved_6[0x380];
 };
 
 enum {
@@ -2255,7 +2308,8 @@ struct mlx5_ifc_tirc_bits {
 	u8         reserved_0[0x20];
 
 	u8         disp_type[0x4];
-	u8         reserved_1[0x1c];
+	u8         tls_en[0x1];
+	u8         reserved_at_25[0x1b];
 
 	u8         reserved_2[0x40];
 
@@ -2717,6 +2771,7 @@ union mlx5_ifc_hca_cap_union_bits {
 	struct mlx5_ifc_snapshot_cap_bits snapshot_cap;
 	struct mlx5_ifc_debug_cap_bits diagnostic_counters_cap;
 	struct mlx5_ifc_qos_cap_bits qos_cap;
+	struct mlx5_ifc_tls_capabilities_bits tls_capabilities;
 	u8         reserved_0[0x8000];
 };
 
@@ -5956,6 +6011,24 @@ struct mlx5_ifc_get_dropped_packet_log_in_bits {
 	u8         reserved_2[0x40];
 };
 
+struct mlx5_ifc_encryption_key_obj_bits {
+	u8         modify_field_select[0x40];
+
+	u8         reserved_at_40[0x14];
+	u8         key_size[0x4];
+	u8         reserved_at_58[0x4];
+	u8         key_type[0x4];
+
+	u8         reserved_at_60[0x8];
+	u8         pd[0x18];
+
+	u8         reserved_at_80[0x180];
+
+	u8         key[8][0x20];
+
+	u8         reserved_at_300[0x500];
+};
+
 struct mlx5_ifc_gen_eqe_in_bits {
 	u8         opcode[0x10];
 	u8         reserved_0[0x10];
@@ -6428,6 +6501,27 @@ struct mlx5_ifc_destroy_flow_group_in_bits {
 	u8         reserved_6[0x120];
 };
 
+struct mlx5_ifc_destroy_encryption_key_out_bits {
+	u8         status[0x8];
+	u8         reserved_at_8[0x18];
+
+	u8         syndrome[0x20];
+
+	u8         reserved_at_40[0x40];
+};
+
+struct mlx5_ifc_destroy_encryption_key_in_bits {
+	u8         opcode[0x10];
+	u8         reserved_at_10[0x10];
+
+	u8         reserved_at_20[0x10];
+	u8         obj_type[0x10];
+
+	u8         obj_id[0x20];
+
+	u8         reserved_at_60[0x20];
+};
+
 struct mlx5_ifc_destroy_eq_out_bits {
 	u8         status[0x8];
 	u8         reserved_0[0x18];
@@ -7257,6 +7351,29 @@ struct mlx5_ifc_create_flow_group_in_bits {
 	u8         reserved_10[0xe00];
 };
 
+struct mlx5_ifc_create_encryption_key_out_bits {
+	u8         status[0x8];
+	u8         reserved_at_8[0x18];
+
+	u8         syndrome[0x20];
+
+	u8         obj_id[0x20];
+
+	u8         reserved_at_60[0x20];
+};
+
+struct mlx5_ifc_create_encryption_key_in_bits {
+	u8         opcode[0x10];
+	u8         reserved_at_10[0x10];
+
+	u8         reserved_at_20[0x10];
+	u8         obj_type[0x10];
+
+	u8         reserved_at_40[0x40];
+
+	struct mlx5_ifc_encryption_key_obj_bits encryption_key_object;
+};
+
 struct mlx5_ifc_create_eq_out_bits {
 	u8         status[0x8];
 	u8         reserved_0[0x18];
@@ -9746,6 +9863,44 @@ struct mlx5_ifc_mtt_bits {
 	u8         rd_en[0x1];
 };
 
+struct mlx5_ifc_tls_progress_params_bits {
+	u8         valid[0x1];
+	u8         reserved_at_1[0x7];
+	u8         pd[0x18];
+
+	u8         next_record_tcp_sn[0x20];
+
+	u8         hw_resync_tcp_sn[0x20];
+
+	u8         record_tracker_state[0x2];
+	u8         auth_state[0x2];
+	u8         reserved_at_64[0x4];
+	u8         hw_offset_record_number[0x18];
+};
+
+struct mlx5_ifc_tls_static_params_bits {
+	u8         const_2[0x2];
+	u8         tls_version[0x4];
+	u8         const_1[0x2];
+	u8         reserved_at_8[0x14];
+	u8         encryption_standard[0x4];
+
+	u8         reserved_at_20[0x20];
+
+	u8         initial_record_number[0x40];
+
+	u8         resync_tcp_sn[0x20];
+
+	u8         gcm_iv[0x20];
+
+	u8         implicit_iv[0x40];
+
+	u8         reserved_at_100[0x8];
+	u8         dek_index[0x18];
+
+	u8         reserved_at_120[0xe0];
+};
+
 /* Vendor Specific Capabilities, VSC */
 enum {
 	MLX5_VSC_DOMAIN_ICMD			= 0x1,

sys/dev/mlx5/tls.h

@@ -0,0 +1,39 @@
+/*-
+ * Copyright (c) 2019, Mellanox Technologies, Ltd.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY AUTHOR AND CONTRIBUTORS `AS IS' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ */
+
+#ifndef __MLX5_TLS_H__
+#define	__MLX5_TLS_H__
+
+struct mlx5_core_dev;
+
+int mlx5_encryption_key_create(struct mlx5_core_dev *mdev, u32 pdn,
+    const void *p_key, u32 key_len, u32 * p_obj_id);
+int mlx5_encryption_key_destroy(struct mlx5_core_dev *mdev, u32 oid);
+int mlx5_tls_open_tis(struct mlx5_core_dev *mdev, int tc, int tdn, int pdn, u32 *p_tisn);
+void mlx5_tls_close_tis(struct mlx5_core_dev *mdev, u32 tisn);
+
+#endif					/* __MLX5_TLS_H__ */

sys/modules/mlx5/Makefile

@@ -26,6 +26,7 @@ mlx5_port.c \
 mlx5_qp.c \
 mlx5_rl.c \
 mlx5_srq.c \
+mlx5_tls.c \
 mlx5_transobj.c \
 mlx5_uar.c \
 mlx5_vport.c \