diff --git a/sys/dev/cxgbe/adapter.h b/sys/dev/cxgbe/adapter.h --- a/sys/dev/cxgbe/adapter.h +++ b/sys/dev/cxgbe/adapter.h @@ -163,7 +163,7 @@ ADAP_ERR = (1 << 5), BUF_PACKING_OK = (1 << 6), IS_VF = (1 << 7), - KERN_TLS_OK = (1 << 8), + KERN_TLS_ON = (1 << 8), /* HW is configured for KERN_TLS */ CXGBE_BUSY = (1 << 9), /* port flags */ diff --git a/sys/dev/cxgbe/common/common.h b/sys/dev/cxgbe/common/common.h --- a/sys/dev/cxgbe/common/common.h +++ b/sys/dev/cxgbe/common/common.h @@ -499,6 +499,11 @@ return adap->params.hash_filter; } +static inline int is_ktls(const struct adapter *adap) +{ + return adap->cryptocaps & FW_CAPS_CONFIG_TLS_HW; +} + static inline int chip_id(struct adapter *adap) { return adap->params.chipid; diff --git a/sys/dev/cxgbe/firmware/t6fw_cfg.txt b/sys/dev/cxgbe/firmware/t6fw_cfg.txt --- a/sys/dev/cxgbe/firmware/t6fw_cfg.txt +++ b/sys/dev/cxgbe/firmware/t6fw_cfg.txt @@ -161,7 +161,7 @@ nserver = 512 nhpfilter = 0 nhash = 16384 - protocol = ofld, rddp, rdmac, iscsi_initiator_pdu, iscsi_target_pdu, iscsi_t10dif, tlskeys, crypto_lookaside + protocol = ofld, rddp, rdmac, iscsi_initiator_pdu, iscsi_target_pdu, iscsi_t10dif, tlskeys, crypto_lookaside, nic_ktls_ofld tp_l2t = 4096 tp_ddp = 2 tp_ddp_iscsi = 2 @@ -273,7 +273,7 @@ [fini] version = 0x1 - checksum = 0xa92352a8 + checksum = 0x5fbc0a4a # # $FreeBSD$ # diff --git a/sys/dev/cxgbe/firmware/t6fw_cfg_kern_tls.txt b/sys/dev/cxgbe/firmware/t6fw_cfg_kern_tls.txt deleted file mode 100644 --- a/sys/dev/cxgbe/firmware/t6fw_cfg_kern_tls.txt +++ /dev/null @@ -1,278 +0,0 @@ -# Firmware configuration file. -# -# Global limits (some are hardware limits, others are due to the firmware). -# nvi = 128 virtual interfaces -# niqflint = 1023 ingress queues with freelists and/or interrupts -# nethctrl = 64K Ethernet or ctrl egress queues -# neq = 64K egress queues of all kinds, including freelists -# nexactf = 512 MPS TCAM entries, can oversubscribe. - -[global] - rss_glb_config_mode = basicvirtual - rss_glb_config_options = tnlmapen,hashtoeplitz,tnlalllkp - - # PL_TIMEOUT register - pl_timeout_value = 200 # the timeout value in units of us - - sge_timer_value = 1, 5, 10, 50, 100, 200 # SGE_TIMER_VALUE* in usecs - - reg[0x10c4] = 0x20000000/0x20000000 # GK_CONTROL, enable 5th thread - - reg[0x7dc0] = 0x0e2f8849 # TP_SHIFT_CNT - - #Tick granularities in kbps - tsch_ticks = 100000, 10000, 1000, 10 - - filterMode = fragmentation, mpshittype, protocol, vlan, port, fcoe - filterMask = protocol - - tp_pmrx = 10, 512 - tp_pmrx_pagesize = 64K - - # TP number of RX channels (0 = auto) - tp_nrxch = 0 - - tp_pmtx = 10, 512 - tp_pmtx_pagesize = 64K - - # TP number of TX channels (0 = auto) - tp_ntxch = 0 - - # TP OFLD MTUs - tp_mtus = 88, 256, 512, 576, 808, 1024, 1280, 1488, 1500, 2002, 2048, 4096, 4352, 8192, 9000, 9600 - - # enable TP_OUT_CONFIG.IPIDSPLITMODE and CRXPKTENC - reg[0x7d04] = 0x00010008/0x00010008 - - # TP_GLOBAL_CONFIG - reg[0x7d08] = 0x00000800/0x00000800 # set IssFromCplEnable - - # TP_PC_CONFIG - reg[0x7d48] = 0x00000000/0x00000400 # clear EnableFLMError - - # TP_PARA_REG0 - reg[0x7d60] = 0x06000000/0x07000000 # set InitCWND to 6 - - # cluster, lan, or wan. - tp_tcptuning = lan - - # LE_DB_CONFIG - reg[0x19c04] = 0x00000000/0x00440000 # LE Server SRAM disabled - # LE IPv4 compression disabled - # LE_DB_HASH_CONFIG - reg[0x19c28] = 0x00800000/0x01f00000 # LE Hash bucket size 8, - - # ULP_TX_CONFIG - reg[0x8dc0] = 0x00000104/0x00000104 # Enable ITT on PI err - # Enable more error msg for ... - # TPT error. - - # ULP_RX_MISC_FEATURE_ENABLE - #reg[0x1925c] = 0x01003400/0x01003400 # iscsi tag pi bit - # Enable offset decrement after ... - # PI extraction and before DDP - # ulp insert pi source info in DIF - # iscsi_eff_offset_en - - #Enable iscsi completion moderation feature - reg[0x1925c] = 0x000041c0/0x000031c0 # Enable offset decrement after - # PI extraction and before DDP. - # ulp insert pi source info in - # DIF. - # Enable iscsi hdr cmd mode. - # iscsi force cmd mode. - # Enable iscsi cmp mode. - # MC configuration - #mc_mode_brc[0] = 1 # mc0 - 1: enable BRC, 0: enable RBC - -# PFs 0-3. These get 8 MSI/8 MSI-X vectors each. VFs are supported by -# these 4 PFs only. -[function "0"] - wx_caps = all - r_caps = all - nvi = 1 - rssnvi = 0 - niqflint = 2 - nethctrl = 2 - neq = 4 - nexactf = 2 - cmask = all - pmask = 0x1 - -[function "1"] - wx_caps = all - r_caps = all - nvi = 1 - rssnvi = 0 - niqflint = 2 - nethctrl = 2 - neq = 4 - nexactf = 2 - cmask = all - pmask = 0x2 - -[function "2"] - wx_caps = all - r_caps = all - nvi = 1 - rssnvi = 0 - niqflint = 2 - nethctrl = 2 - neq = 4 - nexactf = 2 - cmask = all - pmask = 0x4 - -[function "3"] - wx_caps = all - r_caps = all - nvi = 1 - rssnvi = 0 - niqflint = 2 - nethctrl = 2 - neq = 4 - nexactf = 2 - cmask = all - pmask = 0x8 - -# PF4 is the resource-rich PF that the bus/nexus driver attaches to. -# It gets 32 MSI/128 MSI-X vectors. -[function "4"] - wx_caps = all - r_caps = all - nvi = 32 - rssnvi = 32 - niqflint = 512 - nethctrl = 1024 - neq = 2048 - nqpcq = 8192 - nexactf = 456 - cmask = all - pmask = all - ncrypto_lookaside = 16 - nclip = 320 - nethofld = 8192 - - # TCAM has 6K cells; each region must start at a multiple of 128 cell. - # Each entry in these categories takes 2 cells each. nhash will use the - # TCAM iff there is room left (that is, the rest don't add up to 3072). - nfilter = 48 - nserver = 64 - nhpfilter = 0 - nhash = 524288 - protocol = ofld, tlskeys, crypto_lookaside - tp_l2t = 4096 - tp_ddp = 2 - tp_ddp_iscsi = 2 - tp_tls_key = 3 - tp_tls_mxrxsize = 17408 # 16384 + 1024, governs max rx data, pm max xfer len, rx coalesce sizes - tp_stag = 2 - tp_pbl = 5 - tp_rq = 7 - tp_srq = 128 - -# PF5 is the SCSI Controller PF. It gets 32 MSI/40 MSI-X vectors. -# Not used right now. -[function "5"] - nvi = 1 - rssnvi = 0 - -# PF6 is the FCoE Controller PF. It gets 32 MSI/40 MSI-X vectors. -# Not used right now. -[function "6"] - nvi = 1 - rssnvi = 0 - -# The following function, 1023, is not an actual PCIE function but is used to -# configure and reserve firmware internal resources that come from the global -# resource pool. -# -[function "1023"] - wx_caps = all - r_caps = all - nvi = 4 - rssnvi = 0 - cmask = all - pmask = all - nexactf = 8 - nfilter = 16 - - -# For Virtual functions, we only allow NIC functionality and we only allow -# access to one port (1 << PF). Note that because of limitations in the -# Scatter Gather Engine (SGE) hardware which checks writes to VF KDOORBELL -# and GTS registers, the number of Ingress and Egress Queues must be a power -# of 2. -# -[function "0/*"] - wx_caps = 0x82 - r_caps = 0x86 - nvi = 1 - rssnvi = 0 - niqflint = 2 - nethctrl = 2 - neq = 4 - nexactf = 2 - cmask = all - pmask = 0x1 - -[function "1/*"] - wx_caps = 0x82 - r_caps = 0x86 - nvi = 1 - rssnvi = 0 - niqflint = 2 - nethctrl = 2 - neq = 4 - nexactf = 2 - cmask = all - pmask = 0x2 - -[function "2/*"] - wx_caps = 0x82 - r_caps = 0x86 - nvi = 1 - rssnvi = 0 - niqflint = 2 - nethctrl = 2 - neq = 4 - nexactf = 2 - cmask = all - pmask = 0x1 - -[function "3/*"] - wx_caps = 0x82 - r_caps = 0x86 - nvi = 1 - rssnvi = 0 - niqflint = 2 - nethctrl = 2 - neq = 4 - nexactf = 2 - cmask = all - pmask = 0x2 - -# MPS has 192K buffer space for ingress packets from the wire as well as -# loopback path of the L2 switch. -[port "0"] - dcb = none - #bg_mem = 25 - #lpbk_mem = 25 - hwm = 60 - lwm = 15 - dwm = 30 - -[port "1"] - dcb = none - #bg_mem = 25 - #lpbk_mem = 25 - hwm = 60 - lwm = 15 - dwm = 30 - -[fini] - version = 0x1 - checksum = 0xa737b06f -# -# $FreeBSD$ -# diff --git a/sys/dev/cxgbe/t4_clip.c b/sys/dev/cxgbe/t4_clip.c --- a/sys/dev/cxgbe/t4_clip.c +++ b/sys/dev/cxgbe/t4_clip.c @@ -273,7 +273,7 @@ inet_ntop(AF_INET6, &ce->lip, &ip[0], sizeof(ip)); - if (sc->flags & KERN_TLS_OK || + if (sc->flags & KERN_TLS_ON || sc->active_ulds != 0) { log(LOG_ERR, "%s: could not add %s (%d)\n", diff --git a/sys/dev/cxgbe/t4_main.c b/sys/dev/cxgbe/t4_main.c --- a/sys/dev/cxgbe/t4_main.c +++ b/sys/dev/cxgbe/t4_main.c @@ -812,9 +812,12 @@ static int read_i2c(struct adapter *, struct t4_i2c_data *); static int clear_stats(struct adapter *, u_int); #ifdef TCP_OFFLOAD -static int toe_capability(struct vi_info *, int); +static int toe_capability(struct vi_info *, bool); static void t4_async_event(void *, int); #endif +#ifdef KERN_TLS +static int ktls_capability(struct adapter *, bool); +#endif static int mod_event(module_t, int, void *); static int notify_siblings(device_t, int); @@ -1838,7 +1841,7 @@ } #ifdef TCP_OFFLOAD - if (vi->nofldrxq != 0 && (sc->flags & KERN_TLS_OK) == 0) + if (vi->nofldrxq != 0) ifp->if_capabilities |= IFCAP_TOE; #endif #ifdef RATELIMIT @@ -1859,9 +1862,10 @@ #endif ifp->if_hw_tsomaxsegsize = 65536; #ifdef KERN_TLS - if (sc->flags & KERN_TLS_OK) { + if (is_ktls(sc)) { ifp->if_capabilities |= IFCAP_TXTLS; - ifp->if_capenable |= IFCAP_TXTLS; + if (sc->flags & KERN_TLS_ON) + ifp->if_capenable |= IFCAP_TXTLS; } #endif @@ -2186,8 +2190,15 @@ ifp->if_capenable ^= IFCAP_MEXTPG; #ifdef KERN_TLS - if (mask & IFCAP_TXTLS) + if (mask & IFCAP_TXTLS) { + int enable = (ifp->if_capenable ^ mask) & IFCAP_TXTLS; + + rc = ktls_capability(sc, enable); + if (rc != 0) + goto fail; + ifp->if_capenable ^= (mask & IFCAP_TXTLS); + } #endif if (mask & IFCAP_VXLAN_HWCSUM) { ifp->if_capenable ^= IFCAP_VXLAN_HWCSUM; @@ -4782,47 +4793,36 @@ uint32_t tstamp; sc = arg; - - tstamp = tcp_ts_getticks(); - t4_write_reg(sc, A_TP_SYNC_TIME_HI, tstamp >> 1); - t4_write_reg(sc, A_TP_SYNC_TIME_LO, tstamp << 31); - + if (sc->flags & KERN_TLS_ON) { + tstamp = tcp_ts_getticks(); + t4_write_reg(sc, A_TP_SYNC_TIME_HI, tstamp >> 1); + t4_write_reg(sc, A_TP_SYNC_TIME_LO, tstamp << 31); + } callout_schedule_sbt(&sc->ktls_tick, SBT_1MS, 0, C_HARDCLOCK); } -static void -t4_enable_kern_tls(struct adapter *sc) +static int +t4_config_kern_tls(struct adapter *sc, bool enable) { - uint32_t m, v; - - m = F_ENABLECBYP; - v = F_ENABLECBYP; - t4_set_reg_field(sc, A_TP_PARA_REG6, m, v); - - m = F_CPL_FLAGS_UPDATE_EN | F_SEQ_UPDATE_EN; - v = F_CPL_FLAGS_UPDATE_EN | F_SEQ_UPDATE_EN; - t4_set_reg_field(sc, A_ULP_TX_CONFIG, m, v); - - m = F_NICMODE; - v = F_NICMODE; - t4_set_reg_field(sc, A_TP_IN_CONFIG, m, v); - - m = F_LOOKUPEVERYPKT; - v = 0; - t4_set_reg_field(sc, A_TP_INGRESS_CONFIG, m, v); - - m = F_TXDEFERENABLE | F_DISABLEWINDOWPSH | F_DISABLESEPPSHFLAG; - v = F_DISABLEWINDOWPSH; - t4_set_reg_field(sc, A_TP_PC_CONFIG, m, v); + int rc; + uint32_t param = V_FW_PARAMS_MNEM(FW_PARAMS_MNEM_DEV) | + V_FW_PARAMS_PARAM_X(FW_PARAMS_PARAM_DEV_KTLS_HW) | + V_FW_PARAMS_PARAM_Y(enable ? 1 : 0) | + V_FW_PARAMS_PARAM_Z(FW_PARAMS_PARAM_DEV_KTLS_HW_USER_ENABLE); - m = V_TIMESTAMPRESOLUTION(M_TIMESTAMPRESOLUTION); - v = V_TIMESTAMPRESOLUTION(0x1f); - t4_set_reg_field(sc, A_TP_TIMER_RESOLUTION, m, v); + rc = -t4_set_params(sc, sc->mbox, sc->pf, 0, 1, ¶m, ¶m); + if (rc != 0) { + CH_ERR(sc, "failed to %s NIC TLS: %d\n", + enable ? "enable" : "disable", rc); + return (rc); + } - sc->flags |= KERN_TLS_OK; + if (enable) + sc->flags |= KERN_TLS_ON; + else + sc->flags &= ~KERN_TLS_ON; - sc->tlst.inline_keys = t4_tls_inline_keys; - sc->tlst.combo_wrs = t4_tls_combo_wrs; + return (rc); } #endif @@ -4936,18 +4936,19 @@ #ifdef KERN_TLS if (sc->cryptocaps & FW_CAPS_CONFIG_TLSKEYS && sc->toecaps & FW_CAPS_CONFIG_TOE) { - if (t4_kern_tls != 0) - t4_enable_kern_tls(sc); - else { - /* - * Limit TOE connections to 2 reassembly - * "islands". This is required for TOE TLS - * connections to downgrade to plain TOE - * connections if an unsupported TLS version - * or ciphersuite is used. - */ - t4_tp_wr_bits_indirect(sc, A_TP_FRAG_CONFIG, - V_PASSMODE(M_PASSMODE), V_PASSMODE(2)); + /* + * Limit TOE connections to 2 reassembly "islands". This is + * required for TOE TLS connections to downgrade to plain TOE + * connections if an unsupported TLS version or ciphersuite is + * used. + */ + t4_tp_wr_bits_indirect(sc, A_TP_FRAG_CONFIG, + V_PASSMODE(M_PASSMODE), V_PASSMODE(2)); + if (is_ktls(sc)) { + sc->tlst.inline_keys = t4_tls_inline_keys; + sc->tlst.combo_wrs = t4_tls_combo_wrs; + if (t4_kern_tls != 0) + t4_config_kern_tls(sc, true); } } #endif @@ -5863,7 +5864,7 @@ t4_intr_enable(sc); } #ifdef KERN_TLS - if (sc->flags & KERN_TLS_OK) + if (is_ktls(sc)) callout_reset_sbt(&sc->ktls_tick, SBT_1MS, 0, ktls_tick, sc, C_HARDCLOCK); #endif @@ -6753,7 +6754,7 @@ } #ifdef KERN_TLS - if (sc->flags & KERN_TLS_OK) { + if (is_ktls(sc)) { /* * dev.t4nex.0.tls. */ @@ -11047,7 +11048,7 @@ #ifdef TCP_OFFLOAD static int -toe_capability(struct vi_info *vi, int enable) +toe_capability(struct vi_info *vi, bool enable) { int rc; struct port_info *pi = vi->pi; @@ -11059,6 +11060,39 @@ return (ENODEV); if (enable) { +#ifdef KERN_TLS + if (sc->flags & KERN_TLS_ON) { + int i, j, n; + struct port_info *p; + struct vi_info *v; + + /* + * Reconfigure hardware for TOE if TXTLS is not enabled + * on any ifnet. + */ + n = 0; + for_each_port(sc, i) { + p = sc->port[i]; + for_each_vi(p, j, v) { + if (v->ifp->if_capenable & IFCAP_TXTLS) { + CH_WARN(sc, + "%s has NIC TLS enabled.\n", + device_get_nameunit(v->dev)); + n++; + } + } + } + if (n > 0) { + CH_WARN(sc, "Disable NIC TLS on all interfaces " + "associated with this adapter before " + "trying to enable TOE.\n"); + return (EAGAIN); + } + rc = t4_config_kern_tls(sc, false); + if (rc) + return (rc); + } +#endif if ((vi->ifp->if_capenable & IFCAP_TOE) != 0) { /* TOE is already enabled. */ return (0); @@ -11267,6 +11301,35 @@ } #endif +#ifdef KERN_TLS +static int +ktls_capability(struct adapter *sc, bool enable) +{ + ASSERT_SYNCHRONIZED_OP(sc); + + if (!is_ktls(sc)) + return (ENODEV); + + if (enable) { + if (sc->flags & KERN_TLS_ON) + return (0); /* already on */ + if (sc->offload_map != 0) { + CH_WARN(sc, + "Disable TOE on all interfaces associated with " + "this adapter before trying to enable NIC TLS.\n"); + return (EAGAIN); + } + return (t4_config_kern_tls(sc, true)); + } else { + /* + * Nothing to do for disable. If TOE is enabled sometime later + * then toe_capability will reconfigure the hardware. + */ + return (0); + } +} +#endif + /* * t = ptr to tunable. * nc = number of CPUs. diff --git a/sys/dev/cxgbe/t4_sge.c b/sys/dev/cxgbe/t4_sge.c --- a/sys/dev/cxgbe/t4_sge.c +++ b/sys/dev/cxgbe/t4_sge.c @@ -4419,7 +4419,7 @@ "# of times hardware assisted with inner checksums (VXLAN)"); #ifdef KERN_TLS - if (sc->flags & KERN_TLS_OK) { + if (is_ktls(sc)) { SYSCTL_ADD_UQUAD(&vi->ctx, children, OID_AUTO, "kern_tls_records", CTLFLAG_RD, &txq->kern_tls_records, "# of NIC TLS records transmitted"); diff --git a/sys/dev/cxgbe/tom/t4_connect.c b/sys/dev/cxgbe/tom/t4_connect.c --- a/sys/dev/cxgbe/tom/t4_connect.c +++ b/sys/dev/cxgbe/tom/t4_connect.c @@ -256,7 +256,7 @@ DONT_OFFLOAD_ACTIVE_OPEN(ENOSYS); /* XXX: implement lagg+TOE */ else DONT_OFFLOAD_ACTIVE_OPEN(ENOTSUP); - if (sc->flags & KERN_TLS_OK) + if (sc->flags & KERN_TLS_ON) DONT_OFFLOAD_ACTIVE_OPEN(ENOTSUP); rw_rlock(&sc->policy_lock); diff --git a/sys/dev/cxgbe/tom/t4_listen.c b/sys/dev/cxgbe/tom/t4_listen.c --- a/sys/dev/cxgbe/tom/t4_listen.c +++ b/sys/dev/cxgbe/tom/t4_listen.c @@ -538,7 +538,7 @@ if (!(inp->inp_vflag & INP_IPV6) && IN_LOOPBACK(ntohl(inp->inp_laddr.s_addr))) return (0); - if (sc->flags & KERN_TLS_OK) + if (sc->flags & KERN_TLS_ON) return (0); #if 0 ADAPTER_LOCK(sc);