nvethernet:MACSEC, add byp lut with VF MAC

Issue: If the supplicant is killed for some reason Data would flow
plain on that interface, this needs to be avoided

Fix: Update bypass LUT such that if the frames from the VF(on which
supplicant is launched) is received on MACSEC either authenticate the
same or drop. Along with this handles below items as well. All the VFs MACIDs
are obtained in OSI to update the bypass LUTs to decide on which VF frames
to be authenticated and which VF frames needs to be bypassed.

1. Remove osi_macsec_en API and have single API to init and deinit
2. Remove explicit command from supplicant to set control port and
set protected frames. Handle the same in osi_macsec_init

Bug 3984665

Change-Id: I8bc8aa95d1e21e99e992b471fb70ed58073163f7
Signed-off-by: Sanath Kumar Gampa <sgampa@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/c/linux-nv-oot/+/2878515
Tested-by: mobile promotions <svcmobile_promotions@nvidia.com>
Reviewed-by: mobile promotions <svcmobile_promotions@nvidia.com>

drivers/net/ethernet/nvidia/nvethernet/ether_linux.c

@@ -6754,14 +6754,6 @@ static int ether_resume(struct ether_priv_data *pdata)
 	schedule_delayed_work(&pdata->ether_hsi_work,
 			      msecs_to_jiffies(osi_core->hsi.err_time_threshold));
 #endif
-	/* Keep MACSEC also to Resume if MACSEC is supported on this platform */
-#ifdef MACSEC_SUPPORT
-	if (pdata->macsec_pdata && pdata->macsec_pdata->next_supp_idx != OSI_DISABLE) {
-		ret = macsec_resume(pdata->macsec_pdata);
-		if (ret < 0)
-			dev_err(pdata->dev, "Failed to resume MACSEC ");
-	}
-#endif /* MACSEC_SUPPORT */
 
 	return 0;
 
@@ -6794,20 +6786,10 @@ static int ether_suspend_noirq(struct device *dev)
 	struct osi_dma_priv_data *osi_dma = pdata->osi_dma;
 	struct osi_ioctl ioctl_data = {};
 	unsigned int i = 0, chan = 0;
-	int ret;
 
 	if (!netif_running(ndev))
 		return 0;
 
-	/* Keep MACSEC to suspend if MACSEC is supported on this platform */
-#ifdef MACSEC_SUPPORT
-	if (pdata->macsec_pdata && pdata->macsec_pdata->next_supp_idx != OSI_DISABLE) {
-		ret = macsec_suspend(pdata->macsec_pdata);
-		if (ret < 0)
-			dev_err(pdata->dev, "Failed to suspend macsec");
-	}
-#endif /* MACSEC_SUPPORT */
-
 	tasklet_kill(&pdata->lane_restart_task);
 
 	/* stop workqueue */

drivers/net/ethernet/nvidia/nvethernet/macsec.c

@@ -191,14 +191,6 @@ int macsec_close(struct macsec_priv_data *macsec_pdata)
 	int ret = 0;
 
 	PRINT_ENTRY();
-	/* Disable the macsec controller */
-	ret = osi_macsec_en(pdata->osi_core, OSI_DISABLE);
-	if (ret < 0) {
-		dev_err(dev, "%s: Failed to enable macsec Tx/Rx, %d\n",
-			__func__, ret);
-		return ret;
-	}
-	macsec_pdata->enabled = OSI_DISABLE;
 	osi_macsec_deinit(pdata->osi_core);
 
 	if (macsec_pdata->is_irq_allocated & OSI_BIT(1)) {
@@ -209,6 +201,7 @@ int macsec_close(struct macsec_priv_data *macsec_pdata)
 		devm_free_irq(dev, macsec_pdata->s_irq, macsec_pdata);
 		macsec_pdata->is_irq_allocated &= ~OSI_BIT(0);
 	}
+	macsec_pdata->enabled = OSI_DISABLE;
 
 	PRINT_EXIT();
 
@@ -262,7 +255,7 @@ int macsec_open(struct macsec_priv_data *macsec_pdata,
 	macsec_pdata->is_irq_allocated |= OSI_BIT(1);
 
 	/* Invoke OSI HW initialization, initialize standard BYP entries */
-	ret = osi_macsec_init(pdata->osi_core, pdata->osi_core->mtu);
+	ret = osi_macsec_init(pdata->osi_core, pdata->osi_core->mtu, pdata->ndev->dev_addr);
 	if (ret < 0) {
 		dev_err(dev, "osi_macsec_init failed, %d\n", ret);
 		goto err_osi_init;
@@ -278,20 +271,14 @@ int macsec_open(struct macsec_priv_data *macsec_pdata,
 	}
 #endif /* !MACSEC_KEY_PROGRAM */
 
-	/* Enable the macsec controller */
-	ret = osi_macsec_en(pdata->osi_core,
-			    (OSI_MACSEC_TX_EN | OSI_MACSEC_RX_EN));
-	if (ret < 0) {
-		dev_err(dev, "%s: Failed to enable macsec Tx/Rx, %d\n",
-			__func__, ret);
-		goto err_osi_en;
-	}
-	macsec_pdata->enabled = (OSI_MACSEC_TX_EN | OSI_MACSEC_RX_EN);
+	macsec_pdata->enabled = OSI_ENABLE;
 
 	goto exit;
 
+#if !defined(MACSEC_KEY_PROGRAM) && !defined(NVPKCS_MACSEC)
 err_osi_en:
 	osi_macsec_deinit(pdata->osi_core);
+#endif /* !MACSEC_KEY_PROGRAM */
 err_osi_init:
 	devm_free_irq(dev, macsec_pdata->ns_irq, macsec_pdata);
 err_ns_irq:
@@ -301,49 +288,6 @@ exit:
 	return ret;
 }
 
-/**
- * Calling macsec_close as part of macsec_suspend as supplicant
- * is disabling the current AN and creating new AN as part of
- * resume.
- */
-int macsec_suspend(struct macsec_priv_data *macsec_pdata)
-{
-	struct ether_priv_data *pdata = macsec_pdata->ether_pdata;
-	struct device *dev = pdata->dev;
-	int ret = 0;
-
-	ret = macsec_close(macsec_pdata);
-	if (ret < 0) {
-		dev_err(dev, "Failed to close macsec\n");
-		return ret;
-	}
-	return ret;
-}
-
-/**
- * Calling macsec_open as part of macsec_resume as supplicant
- * is disabling the current AN and creating new AN as part of
- * resume.
- */
-int macsec_resume(struct macsec_priv_data *macsec_pdata)
-{
-	struct ether_priv_data *pdata = macsec_pdata->ether_pdata;
-	struct device *dev = pdata->dev;
-	struct osi_core_priv_data *osi_core = pdata->osi_core;
-	int ret = 0;
-
-	if ((osi_core->use_virtualization == OSI_DISABLE) &&
-	    (macsec_pdata->ns_rst)) {
-		ret = reset_control_reset(macsec_pdata->ns_rst);
-		if (ret < 0) {
-			dev_err(dev, "failed to reset macsec\n");
-			return ret;
-		}
-	}
-
-	return macsec_open(macsec_pdata, OSI_NULL);
-}
-
 static int macsec_get_platform_res(struct macsec_priv_data *macsec_pdata)
 {
 	struct ether_priv_data *pdata = macsec_pdata->ether_pdata;
@@ -470,87 +414,6 @@ static struct macsec_supplicant_data *macsec_get_supplicant(
 	return NULL;
 }
 
-static int update_prot_frame(
-			struct macsec_priv_data *macsec_pdata) {
-	struct macsec_supplicant_data *supplicant = macsec_pdata->supplicant;
-	int i;
-	int enable = OSI_NONE;
-
-	/* check any supplicant instance set */
-	for (i = 0; i < OSI_MAX_NUM_SC; i++) {
-		if (supplicant[i].protect_frames == OSI_ENABLE) {
-			enable = OSI_ENABLE;
-			break;
-		}
-	}
-	return enable;
-}
-
-static int update_set_controlled_port(
-			struct macsec_priv_data *macsec_pdata) {
-	struct macsec_supplicant_data *supplicant = macsec_pdata->supplicant;
-	int i;
-	int enable = OSI_NONE;
-
-	/* check any supplicant instance set */
-	for (i = 0; i < OSI_MAX_NUM_SC; i++) {
-		if (supplicant[i].enabled == OSI_ENABLE) {
-			enable = OSI_ENABLE;
-			break;
-		}
-	}
-	return enable;
-}
-
-static int macsec_set_prot_frames(struct sk_buff *skb, struct genl_info *info)
-{
-	struct nlattr **attrs = info->attrs;
-	unsigned int enable;
-	struct macsec_priv_data *macsec_pdata;
-	struct macsec_supplicant_data *supplicant;
-	struct ether_priv_data *pdata = NULL;
-	int ret = 0;
-
-	PRINT_ENTRY();
-	if (!attrs[NV_MACSEC_ATTR_IFNAME] ||
-	    !attrs[NV_MACSEC_ATTR_PROT_FRAMES_EN]) {
-		ret = -EINVAL;
-		goto exit;
-	}
-
-	macsec_pdata = genl_to_macsec_pdata(info);
-	if (!macsec_pdata) {
-		ret = -EPROTO;
-		goto exit;
-	}
-	pdata = macsec_pdata->ether_pdata;
-
-	if (!netif_running(pdata->ndev)) {
-		ret = -ENETDOWN;
-		dev_err(pdata->dev, "%s: MAC interface down!!\n", __func__);
-		goto exit;
-	}
-
-	mutex_lock(&macsec_pdata->lock);
-	supplicant = macsec_get_supplicant(macsec_pdata, info->snd_portid);
-	if (!supplicant) {
-		ret = -EPROTO;
-		dev_err(pdata->dev, "%s: failed to get supplicant data",
-			__func__);
-		goto err_unlock;
-	}
-	supplicant->protect_frames =
-		nla_get_u32(attrs[NV_MACSEC_ATTR_PROT_FRAMES_EN]);
-	enable = update_prot_frame(macsec_pdata);
-	macsec_pdata->protect_frames = enable;
-
-err_unlock:
-	mutex_unlock(&macsec_pdata->lock);
-exit:
-	PRINT_EXIT();
-	return ret;
-}
-
 static int macsec_set_cipher(struct sk_buff *skb, struct genl_info *info)
 {
 	struct nlattr **attrs = info->attrs;
@@ -611,71 +474,6 @@ exit:
 	return ret;
 }
 
-static int macsec_set_controlled_port(struct sk_buff *skb,
-				      struct genl_info *info)
-{
-	struct nlattr **attrs = info->attrs;
-	struct macsec_priv_data *macsec_pdata;
-	unsigned int enable = 0;
-	unsigned int macsec_en = 0;
-	struct macsec_supplicant_data *supplicant;
-	struct ether_priv_data *pdata = NULL;
-	int ret = 0;
-
-	PRINT_ENTRY();
-	if (!attrs[NV_MACSEC_ATTR_IFNAME] ||
-	    !attrs[NV_MACSEC_ATTR_CTRL_PORT_EN]) {
-		ret = -EINVAL;
-		goto exit;
-	}
-
-	macsec_pdata = genl_to_macsec_pdata(info);
-	if (!macsec_pdata) {
-		ret = -EPROTO;
-		goto exit;
-	}
-	pdata = macsec_pdata->ether_pdata;
-
-	if (!netif_running(pdata->ndev)) {
-		ret = -ENETDOWN;
-		dev_err(pdata->dev, "%s: MAC interface down!!\n", __func__);
-		goto exit;
-	}
-
-	mutex_lock(&macsec_pdata->lock);
-	supplicant = macsec_get_supplicant(macsec_pdata, info->snd_portid);
-	if (!supplicant) {
-		ret = -EPROTO;
-		dev_err(pdata->dev, "%s: failed to get supplicant data",
-			__func__);
-		goto err_unlock;
-	}
-
-	supplicant->enabled = nla_get_u32(attrs[NV_MACSEC_ATTR_CTRL_PORT_EN]);
-	enable = update_set_controlled_port(macsec_pdata);
-	if (enable) {
-		macsec_en |= OSI_MACSEC_RX_EN;
-		if (macsec_pdata->protect_frames)
-			macsec_en |= OSI_MACSEC_TX_EN;
-	}
-
-	if (macsec_pdata->enabled != macsec_en) {
-		ret = osi_macsec_en(macsec_pdata->ether_pdata->osi_core,
-				    macsec_en);
-		if (ret < 0) {
-			ret = -EPROTO;
-			goto err_unlock;
-		}
-		macsec_pdata->enabled = macsec_en;
-	}
-
-err_unlock:
-	mutex_unlock(&macsec_pdata->lock);
-exit:
-	PRINT_EXIT();
-	return ret;
-}
-
 static int parse_sa_config(struct nlattr **attrs, struct nlattr **tb_sa,
 			   struct osi_macsec_sc_info *sc_info,
 			   struct nvpkcs_data *pkcs)
@@ -1415,11 +1213,6 @@ static const struct genl_ops nv_macsec_genl_ops[] = {
 		.doit = macsec_init,
 		.flags = GENL_ADMIN_PERM,
 	},
-	{
-		.cmd = NV_MACSEC_CMD_SET_PROT_FRAMES,
-		.doit = macsec_set_prot_frames,
-		.flags = GENL_ADMIN_PERM,
-	},
 	{
 		.cmd = NV_MACSEC_CMD_SET_REPLAY_PROT,
 		.doit = macsec_set_replay_prot,
@@ -1430,11 +1223,6 @@ static const struct genl_ops nv_macsec_genl_ops[] = {
 		.doit = macsec_set_cipher,
 		.flags = GENL_ADMIN_PERM,
 	},
-	{
-		.cmd = NV_MACSEC_CMD_SET_CONTROLLED_PORT,
-		.doit = macsec_set_controlled_port,
-		.flags = GENL_ADMIN_PERM,
-	},
 	{
 		.cmd = NV_MACSEC_CMD_DEINIT,
 		.doit = macsec_deinit,

drivers/net/ethernet/nvidia/nvethernet/macsec.h

@@ -1,5 +1,5 @@
 /* SPDX-License-Identifier: GPL-2.0-only */
-/* Copyright (c) 2019-2022, NVIDIA CORPORATION & AFFILIATES. All rights reserved */
+/* Copyright (c) 2019-2023, NVIDIA CORPORATION & AFFILIATES. All rights reserved */
 
 #ifndef INCLUDED_MACSEC_H
 #define INCLUDED_MACSEC_H
@@ -102,11 +102,9 @@ enum nv_macsec_attrs {
 	NV_MACSEC_ATTR_UNSPEC,
 	NV_MACSEC_ATTR_IFNAME,
 	NV_MACSEC_ATTR_TXSC_PORT,
-	NV_MACSEC_ATTR_PROT_FRAMES_EN,
 	NV_MACSEC_ATTR_REPLAY_PROT_EN,
 	NV_MACSEC_ATTR_REPLAY_WINDOW,
 	NV_MACSEC_ATTR_CIPHER_SUITE,
-	NV_MACSEC_ATTR_CTRL_PORT_EN,
 	NV_MACSEC_ATTR_SA_CONFIG, /* Nested SA config */
 	NV_MACSEC_ATTR_TZ_CONFIG, /* Nested TZ config */
 	NV_MACSEC_ATTR_TZ_KT_RESET, /* Nested TZ KT config */
@@ -164,10 +162,8 @@ static const struct nla_policy nv_macsec_genl_policy[NUM_NV_MACSEC_ATTR] = {
 enum nv_macsec_nl_commands {
 	NV_MACSEC_CMD_INIT,
 	NV_MACSEC_CMD_GET_TX_NEXT_PN,
-	NV_MACSEC_CMD_SET_PROT_FRAMES,
 	NV_MACSEC_CMD_SET_REPLAY_PROT,
 	NV_MACSEC_CMD_SET_CIPHER,
-	NV_MACSEC_CMD_SET_CONTROLLED_PORT,
 	NV_MACSEC_CMD_CREATE_TX_SA,
 	NV_MACSEC_CMD_EN_TX_SA,
 	NV_MACSEC_CMD_DIS_TX_SA,

drivers/net/ethernet/nvidia/nvethernet/sysfs.c

@@ -227,11 +227,7 @@ static ssize_t macsec_enable_show(struct device *dev,
 	struct macsec_priv_data *macsec_pdata = pdata->macsec_pdata;
 	unsigned int enabled = macsec_pdata->enabled;
 	return scnprintf(buf, PAGE_SIZE, "%s\n",
-			 (enabled == (OSI_MACSEC_TX_EN | OSI_MACSEC_RX_EN))
-				      ? "txrx" :
-			 (enabled == OSI_MACSEC_TX_EN) ? "tx" :
-			 (enabled == OSI_MACSEC_RX_EN) ? "rx" :
-			 "None");
+			 (enabled == OSI_ENABLE) ? "txrx" : "None");
 }
 
 extern int macsec_open(struct macsec_priv_data *macsec_pdata,