i40e: implement anti-spoofing for VFs

Our hardware supports VF antispoofing for both MAC addresses and VLANs. Enable this feature by default for all VFs and implement the netdev op to control it from the command line. Change-ID: Ifb941da22785848aa3aba6b2231be135b8ea8f31 Signed-off-by: Mitch Williams <mitch.a.williams@intel.com> Signed-off-by: Jesse Brandeburg <jesse.brandeburg@intel.com> Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
author: Mitch Williams <mitch.a.williams@intel.com> 2014-05-20 04:01:40 -0400
committer: Jeff Kirsher <jeffrey.t.kirsher@intel.com> 2014-06-09 02:52:33 -0400
commit: c674d1250bfc04bae9fdbd71883713d29ad9f5d7 (patch)
tree: 05380f8f16b77b39b909ba1f8b4c3df4d80b221a
parent: fdfe9cbe0f002af8fa94c04639d2f224be9847d5 (diff)
3 files changed, 60 insertions, 2 deletions
diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c
index d0bc05f224ff..afc37d3b2101 100644
--- a/drivers/net/ethernet/intel/i40e/i40e_main.c
+++ b/drivers/net/ethernet/intel/i40e/i40e_main.c
@@ -6887,6 +6887,7 @@ static const struct net_device_ops i40e_netdev_ops = {
        .ndo_set_vf_rate        = i40e_ndo_set_vf_bw,
        .ndo_get_vf_config      = i40e_ndo_get_vf_config,
        .ndo_set_vf_link_state  = i40e_ndo_set_vf_link_state,
+        .ndo_set_vf_spoofchk    = i40e_ndo_set_vf_spoofck,
 #ifdef CONFIG_I40E_VXLAN
        .ndo_add_vxlan_port     = i40e_add_vxlan_port,
        .ndo_del_vxlan_port     = i40e_del_vxlan_port,
@@ -7121,6 +7122,13 @@ static int i40e_add_vsi(struct i40e_vsi *vsi)
                ctxt.info.valid_sections |= cpu_to_le16(I40E_AQ_VSI_PROP_VLAN_VALID);
                ctxt.info.port_vlan_flags |= I40E_AQ_VSI_PVLAN_MODE_ALL;
+                if (pf->vf[vsi->vf_id].spoofchk) {
+                        ctxt.info.valid_sections |=
+                                cpu_to_le16(I40E_AQ_VSI_PROP_SECURITY_VALID);
+                        ctxt.info.sec_flags |=
+                                (I40E_AQ_VSI_SEC_FLAG_ENABLE_VLAN_CHK |
+                                 I40E_AQ_VSI_SEC_FLAG_ENABLE_MAC_CHK);
+                }
                /* Setup the VSI tx/rx queue map for TC0 only for now */
                i40e_vsi_setup_queue_map(vsi, &ctxt, enabled_tc, true);
                break;
diff --git a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
index 4e7634c83685..3f6cad46365c 100644
--- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
+++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
@@ -899,6 +899,7 @@ int i40e_alloc_vfs(struct i40e_pf *pf, u16 num_alloc_vfs)
                ret = -ENOMEM;
                goto err_alloc;
        }
+        pf->vf = vfs;
        /* apply default profile */
        for (i = 0; i < num_alloc_vfs; i++) {
@@ -908,13 +909,13 @@ int i40e_alloc_vfs(struct i40e_pf *pf, u16 num_alloc_vfs)
                /* assign default capabilities */
                set_bit(I40E_VIRTCHNL_VF_CAP_L2, &vfs[i].vf_caps);
+                vfs[i].spoofchk = true;
                /* vf resources get allocated during reset */
                i40e_reset_vf(&vfs[i], false);
                /* enable vf vplan_qtable mappings */
                i40e_enable_vf_mappings(&vfs[i]);
        }
-        pf->vf = vfs;
        pf->num_alloc_vfs = num_alloc_vfs;
        i40e_enable_pf_switch_lb(pf);
@@ -2328,7 +2329,7 @@ int i40e_ndo_get_vf_config(struct net_device *netdev,
                ivi->linkstate = IFLA_VF_LINK_STATE_ENABLE;
        else
                ivi->linkstate = IFLA_VF_LINK_STATE_DISABLE;
+        ivi->spoofchk = vf->spoofchk;
        ret = 0;
 error_param:
@@ -2395,3 +2396,50 @@ int i40e_ndo_set_vf_link_state(struct net_device *netdev, int vf_id, int link)
 error_out:
        return ret;
 }
+/**
+ * i40e_ndo_set_vf_spoofchk
+ * @netdev: network interface device structure
+ * @vf_id: vf identifier
+ * @enable: flag to enable or disable feature
+ *
+ * Enable or disable VF spoof checking
+ **/
+int i40e_ndo_set_vf_spoofck(struct net_device *netdev, int vf_id, bool enable)
+{
+        struct i40e_netdev_priv *np = netdev_priv(netdev);
+        struct i40e_vsi *vsi = np->vsi;
+        struct i40e_pf *pf = vsi->back;
+        struct i40e_vsi_context ctxt;
+        struct i40e_hw *hw = &pf->hw;
+        struct i40e_vf *vf;
+        int ret = 0;
+        /* validate the request */
+        if (vf_id >= pf->num_alloc_vfs) {
+                dev_err(&pf->pdev->dev, "Invalid VF Identifier %d\n", vf_id);
+                ret = -EINVAL;
+                goto out;
+        }
+        vf = &(pf->vf[vf_id]);
+        if (enable == vf->spoofchk)
+                goto out;
+        vf->spoofchk = enable;
+        memset(&ctxt, 0, sizeof(ctxt));
+        ctxt.seid = pf->vsi[vf->lan_vsi_index]->seid;
+        ctxt.pf_num = pf->hw.pf_id;
+        ctxt.info.valid_sections = cpu_to_le16(I40E_AQ_VSI_PROP_SECURITY_VALID);
+        if (enable)
+                ctxt.info.sec_flags |= I40E_AQ_VSI_SEC_FLAG_ENABLE_MAC_CHK;
+        ret = i40e_aq_update_vsi_params(hw, &ctxt, NULL);
+        if (ret) {
+                dev_err(&pf->pdev->dev, "Error %d updating VSI parameters\n",
+                        ret);
+                ret = -EIO;
+        }
+out:
+        return ret;
+}
diff --git a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.h b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.h
index 5a559be4ba2c..63e7e0d81ad2 100644
--- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.h
+++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.h
@@ -101,6 +101,7 @@ struct i40e_vf {
        unsigned int tx_rate;   /* Tx bandwidth limit in Mbps */
        bool link_forced;
        bool link_up;           /* only valid if vf link is forced */
+        bool spoofchk;
 };
 void i40e_free_vfs(struct i40e_pf *pf);
@@ -121,6 +122,7 @@ int i40e_ndo_set_vf_bw(struct net_device *netdev, int vf_id, int min_tx_rate,
 int i40e_ndo_get_vf_config(struct net_device *netdev,
                           int vf_id, struct ifla_vf_info *ivi);
 int i40e_ndo_set_vf_link_state(struct net_device *netdev, int vf_id, int link);
+int i40e_ndo_set_vf_spoofck(struct net_device *netdev, int vf_id, bool enable);
 void i40e_vc_notify_link_state(struct i40e_pf *pf);
 void i40e_vc_notify_reset(struct i40e_pf *pf);
author	Mitch Williams <mitch.a.williams@intel.com>	2014-05-20 04:01:40 -0400
committer	Jeff Kirsher <jeffrey.t.kirsher@intel.com>	2014-06-09 02:52:33 -0400
commit	c674d1250bfc04bae9fdbd71883713d29ad9f5d7 (patch)
tree	05380f8f16b77b39b909ba1f8b4c3df4d80b221a
parent	fdfe9cbe0f002af8fa94c04639d2f224be9847d5 (diff)

diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c index d0bc05f224ff..afc37d3b2101 100644 --- a/drivers/net/ethernet/intel/i40e/i40e_main.c +++ b/drivers/net/ethernet/intel/i40e/i40e_main.c
@@ -6887,6 +6887,7 @@ static const struct net_device_ops i40e_netdev_ops = {
6887	.ndo_set_vf_rate = i40e_ndo_set_vf_bw,	6887	.ndo_set_vf_rate = i40e_ndo_set_vf_bw,
6888	.ndo_get_vf_config = i40e_ndo_get_vf_config,	6888	.ndo_get_vf_config = i40e_ndo_get_vf_config,
6889	.ndo_set_vf_link_state = i40e_ndo_set_vf_link_state,	6889	.ndo_set_vf_link_state = i40e_ndo_set_vf_link_state,
		6890	.ndo_set_vf_spoofchk = i40e_ndo_set_vf_spoofck,
6890	#ifdef CONFIG_I40E_VXLAN	6891	#ifdef CONFIG_I40E_VXLAN
6891	.ndo_add_vxlan_port = i40e_add_vxlan_port,	6892	.ndo_add_vxlan_port = i40e_add_vxlan_port,
6892	.ndo_del_vxlan_port = i40e_del_vxlan_port,	6893	.ndo_del_vxlan_port = i40e_del_vxlan_port,
@@ -7121,6 +7122,13 @@ static int i40e_add_vsi(struct i40e_vsi *vsi)
7121		7122
7122	ctxt.info.valid_sections \|= cpu_to_le16(I40E_AQ_VSI_PROP_VLAN_VALID);	7123	ctxt.info.valid_sections \|= cpu_to_le16(I40E_AQ_VSI_PROP_VLAN_VALID);
7123	ctxt.info.port_vlan_flags \|= I40E_AQ_VSI_PVLAN_MODE_ALL;	7124	ctxt.info.port_vlan_flags \|= I40E_AQ_VSI_PVLAN_MODE_ALL;
		7125	if (pf->vf[vsi->vf_id].spoofchk) {
		7126	ctxt.info.valid_sections \|=
		7127	cpu_to_le16(I40E_AQ_VSI_PROP_SECURITY_VALID);
		7128	ctxt.info.sec_flags \|=
		7129	(I40E_AQ_VSI_SEC_FLAG_ENABLE_VLAN_CHK \|
		7130	I40E_AQ_VSI_SEC_FLAG_ENABLE_MAC_CHK);
		7131	}
7124	/* Setup the VSI tx/rx queue map for TC0 only for now */	7132	/* Setup the VSI tx/rx queue map for TC0 only for now */
7125	i40e_vsi_setup_queue_map(vsi, &ctxt, enabled_tc, true);	7133	i40e_vsi_setup_queue_map(vsi, &ctxt, enabled_tc, true);
7126	break;	7134	break;


diff --git a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c index 4e7634c83685..3f6cad46365c 100644 --- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c +++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
@@ -899,6 +899,7 @@ int i40e_alloc_vfs(struct i40e_pf *pf, u16 num_alloc_vfs)
899	ret = -ENOMEM;	899	ret = -ENOMEM;
900	goto err_alloc;	900	goto err_alloc;
901	}	901	}
		902	pf->vf = vfs;
902		903
903	/* apply default profile */	904	/* apply default profile */
904	for (i = 0; i < num_alloc_vfs; i++) {	905	for (i = 0; i < num_alloc_vfs; i++) {
@@ -908,13 +909,13 @@ int i40e_alloc_vfs(struct i40e_pf *pf, u16 num_alloc_vfs)
908		909
909	/* assign default capabilities */	910	/* assign default capabilities */
910	set_bit(I40E_VIRTCHNL_VF_CAP_L2, &vfs[i].vf_caps);	911	set_bit(I40E_VIRTCHNL_VF_CAP_L2, &vfs[i].vf_caps);
		912	vfs[i].spoofchk = true;
911	/* vf resources get allocated during reset */	913	/* vf resources get allocated during reset */
912	i40e_reset_vf(&vfs[i], false);	914	i40e_reset_vf(&vfs[i], false);
913		915
914	/* enable vf vplan_qtable mappings */	916	/* enable vf vplan_qtable mappings */
915	i40e_enable_vf_mappings(&vfs[i]);	917	i40e_enable_vf_mappings(&vfs[i]);
916	}	918	}
917	pf->vf = vfs;
918	pf->num_alloc_vfs = num_alloc_vfs;	919	pf->num_alloc_vfs = num_alloc_vfs;
919		920
920	i40e_enable_pf_switch_lb(pf);	921	i40e_enable_pf_switch_lb(pf);
@@ -2328,7 +2329,7 @@ int i40e_ndo_get_vf_config(struct net_device *netdev,
2328	ivi->linkstate = IFLA_VF_LINK_STATE_ENABLE;	2329	ivi->linkstate = IFLA_VF_LINK_STATE_ENABLE;
2329	else	2330	else
2330	ivi->linkstate = IFLA_VF_LINK_STATE_DISABLE;	2331	ivi->linkstate = IFLA_VF_LINK_STATE_DISABLE;
2331		2332	ivi->spoofchk = vf->spoofchk;
2332	ret = 0;	2333	ret = 0;
2333		2334
2334	error_param:	2335	error_param:
@@ -2395,3 +2396,50 @@ int i40e_ndo_set_vf_link_state(struct net_device *netdev, int vf_id, int link)
2395	error_out:	2396	error_out:
2396	return ret;	2397	return ret;
2397	}	2398	}
		2399
		2400	/**
		2401	* i40e_ndo_set_vf_spoofchk
		2402	* @netdev: network interface device structure
		2403	* @vf_id: vf identifier
		2404	* @enable: flag to enable or disable feature
		2405	*
		2406	* Enable or disable VF spoof checking
		2407	**/
		2408	int i40e_ndo_set_vf_spoofck(struct net_device *netdev, int vf_id, bool enable)
		2409	{
		2410	struct i40e_netdev_priv *np = netdev_priv(netdev);
		2411	struct i40e_vsi *vsi = np->vsi;
		2412	struct i40e_pf *pf = vsi->back;
		2413	struct i40e_vsi_context ctxt;
		2414	struct i40e_hw *hw = &pf->hw;
		2415	struct i40e_vf *vf;
		2416	int ret = 0;
		2417
		2418	/* validate the request */
		2419	if (vf_id >= pf->num_alloc_vfs) {
		2420	dev_err(&pf->pdev->dev, "Invalid VF Identifier %d\n", vf_id);
		2421	ret = -EINVAL;
		2422	goto out;
		2423	}
		2424
		2425	vf = &(pf->vf[vf_id]);
		2426
		2427	if (enable == vf->spoofchk)
		2428	goto out;
		2429
		2430	vf->spoofchk = enable;
		2431	memset(&ctxt, 0, sizeof(ctxt));
		2432	ctxt.seid = pf->vsi[vf->lan_vsi_index]->seid;
		2433	ctxt.pf_num = pf->hw.pf_id;
		2434	ctxt.info.valid_sections = cpu_to_le16(I40E_AQ_VSI_PROP_SECURITY_VALID);
		2435	if (enable)
		2436	ctxt.info.sec_flags \|= I40E_AQ_VSI_SEC_FLAG_ENABLE_MAC_CHK;
		2437	ret = i40e_aq_update_vsi_params(hw, &ctxt, NULL);
		2438	if (ret) {
		2439	dev_err(&pf->pdev->dev, "Error %d updating VSI parameters\n",
		2440	ret);
		2441	ret = -EIO;
		2442	}
		2443	out:
		2444	return ret;
		2445	}


diff --git a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.h b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.h index 5a559be4ba2c..63e7e0d81ad2 100644 --- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.h +++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.h
@@ -101,6 +101,7 @@ struct i40e_vf {
101	unsigned int tx_rate; /* Tx bandwidth limit in Mbps */	101	unsigned int tx_rate; /* Tx bandwidth limit in Mbps */
102	bool link_forced;	102	bool link_forced;
103	bool link_up; /* only valid if vf link is forced */	103	bool link_up; /* only valid if vf link is forced */
		104	bool spoofchk;
104	};	105	};
105		106
106	void i40e_free_vfs(struct i40e_pf *pf);	107	void i40e_free_vfs(struct i40e_pf *pf);
@@ -121,6 +122,7 @@ int i40e_ndo_set_vf_bw(struct net_device *netdev, int vf_id, int min_tx_rate,
121	int i40e_ndo_get_vf_config(struct net_device *netdev,	122	int i40e_ndo_get_vf_config(struct net_device *netdev,
122	int vf_id, struct ifla_vf_info *ivi);	123	int vf_id, struct ifla_vf_info *ivi);
123	int i40e_ndo_set_vf_link_state(struct net_device *netdev, int vf_id, int link);	124	int i40e_ndo_set_vf_link_state(struct net_device *netdev, int vf_id, int link);
		125	int i40e_ndo_set_vf_spoofck(struct net_device *netdev, int vf_id, bool enable);
124		126
125	void i40e_vc_notify_link_state(struct i40e_pf *pf);	127	void i40e_vc_notify_link_state(struct i40e_pf *pf);
126	void i40e_vc_notify_reset(struct i40e_pf *pf);	128	void i40e_vc_notify_reset(struct i40e_pf *pf);