On 5/23/26 21:15, Jihong Min wrote:
> This series adds the missing plumbing for ESP offload engines that
> operate on whole ESP packets instead of only exposing AES/HMAC through
> the crypto API AEAD interface.
>
> The normal ESP software path can already call into accelerated AEAD
> algorithms, but packet-mode engines such as EIP93 can also generate and
> consume ESP packet framing: padding, pad length, next header and ICV.
> That needs a slightly different XFRM offload contract so the netdev
> driver can hand the skb to a packet backend rather than trying to make
> hardware fit the software trailer layout.
>
> Patch 1 extends the ESP offload infrastructure for packet engines while
> preserving the existing behavior for drivers that do not opt in.
> Patch 2 exposes an EIP93 ESP packet backend for encapsulation and
> decapsulation.
> Patch 3 wires Airoha Ethernet GDM netdevs and DSA user ports to that
> backend through xfrmdev_ops. ESP GSO and ESP TX checksum offload remain
> disabled.
>
> Runtime testing was done on a Gemtek W1700K2 running OpenWrt with the
> same changes applied on top of a 6.18.31-based kernel.
>
> Test parameters:
>
> - Static IPv4 transport-mode XFRM SAs between the AP and host.
> - ESP transform: auth hmac(sha1), enc cbc(aes) with a 128-bit AES key.
> - iperf3 TCP test, AP as client and host as server:
> iperf3 -c <host_ip> -P 4 -t 10
> - The host always used normal Linux XFRM software processing.
> - With AP ESP offload disabled, the AP also used the Linux XFRM
> software path; in this setup, EIP93-backed AEAD crypto was still
> available to that path.
>
> Network-relevant test setup:
>
> - AP: Gemtek W1700K2, Airoha AN7581/EN7581, 4x Arm Cortex-A53 at
> 1.4 GHz, 2 GiB RAM, airoha_eth wan (GDM2) netdev, 10Gb/s full-duplex,
> MTU 9200, EIP93 crypto and IPsec packet engine present.
> - Host: AMD Ryzen 9 9950X3D, 16 cores/32 threads, Open vSwitch,
> MTU 9978, backed by a ConnectX-6 Dx 10Gb/s full-duplex link.
>
> AP to host iperf3 result:
>
> AP offload Sender Receiver Retransmits
> on 918.2 Mbit/s 913.6 Mbit/s 0
> off 782.4 Mbit/s 778.6 Mbit/s 3569
>
> This is a 17.3% receiver-side throughput improvement for the AP TX ESP
> path in this setup, with retransmits eliminated in the offloaded run.
>
> Jihong Min (3):
> xfrm: extend ESP offload infrastructure for packet engines
> crypto: inside-secure: add EIP93 ESP packet backend
> net: airoha: add EIP93-backed ESP XFRM offload
>
> MAINTAINERS | 1 +
> drivers/crypto/inside-secure/eip93/Kconfig | 10 +
> drivers/crypto/inside-secure/eip93/Makefile | 1 +
> .../crypto/inside-secure/eip93/eip93-ipsec.c | 1413 ++++++++++++++++
> .../crypto/inside-secure/eip93/eip93-main.c | 69 +-
> .../crypto/inside-secure/eip93/eip93-main.h | 38 +-
> drivers/net/ethernet/airoha/Kconfig | 11 +
> drivers/net/ethernet/airoha/Makefile | 1 +
> drivers/net/ethernet/airoha/airoha_eth.c | 51 +-
> drivers/net/ethernet/airoha/airoha_eth.h | 69 +
> drivers/net/ethernet/airoha/airoha_xfrm.c | 1474 +++++++++++++++++
> include/crypto/eip93-ipsec.h | 132 ++
> include/linux/netdevice.h | 3 +
> include/net/xfrm.h | 8 +-
> net/ipv4/esp4.c | 6 +-
> net/ipv4/esp4_offload.c | 29 +-
> net/ipv6/esp6.c | 6 +-
> net/ipv6/esp6_offload.c | 29 +-
> 18 files changed, 3324 insertions(+), 27 deletions(-)
> create mode 100644 drivers/crypto/inside-secure/eip93/eip93-ipsec.c
> create mode 100644 drivers/net/ethernet/airoha/airoha_xfrm.c
> create mode 100644 include/crypto/eip93-ipsec.h
>
One note I should have included in the cover letter:
The hardware behavior used by this series was studied from the out-of-tree
IPsec branch of the mtk-eip93 driver:
https://github.com/vschagen/mtk-eip93/tree/ipsec
That code was useful for understanding the EIP93 packet-mode ESP descriptor
programming and SA record values.
This series is not a direct import of that driver. The implementation was
rewritten around the current upstream driver layout and the Linux XFRM
netdev offload model, with EIP93 exposed as a packet-mode ESP backend used
by the Airoha netdev driver.
Sincerely,
Jihong Min