[Intel-wired-lan] [PATCH iwl-net 0/2] ixgbe: fix incompatibility with Mailbox API v1.5

[Jacob Keller]

The ixgbevf driver gained support for the v1.5 API of the PF to VF mailbox
communication API in commit 339f28964147 ("ixgbevf: Add support for new
mailbox communication between PF and VF")

This commit accidentally enabled IPSEC offload for the v1.5 API, which is
incorrect as the API is only supported by the v1.4 API.

Other hosts including the VMWare ESX PF have implemented the v1.5 API, but
no Linux PF has.

As far as I can tell after digging, the v1.4 API is only supported by the
in-kernel ixgbe PF as the way of supporting IPSEC offload. Other hosts do
not appear to have implemented this API. In particular, the hosts
implementing v1.5 of the API do not have the IPSEC offload support.

The current situation results in two issues:

1) The ixgbevf attempts to enable IPSEC offload support for PFs operating
   on the v1.5 Mailbox API. This will not work as the PF will not support
   it. As far as I can tell, this results in all calls to
   ixgbevf_ipsec_set_pf_sa failing with an error, preventing IPSEC
   functionality from working.

2) When the in-kernel ixgbevf driver is loaded on an in-kernel ixgbe host,
   the driver logs a warning about an invalid API:

     VF 0 requested invalid api version 6

   This message confuses system administrators, as it implies that the VF
   is doing something wrong.

This series fixes the two issues, first by disabling IPSEC offload for any
API version other than v1.4. Second, the e_info message is downgraded into
a debug message to avoid logging it by default.

I do not yet fully understand the improvements of the v1.5 API, but
currently no Linux PF has implemented it fully. The Intel out-of-tree
releases appear to have some code to support v1.5, but it is incomplete,
and the v1.5 API is not advertised or accepted during negotiation.

If we ever plan to upstream the v1.5 improvements, then something will need
to be done to resolve the IPSEC negotiation -- existing v1.5 hosts do not
support IPSEC. It is not great to have to dedicate entire API versions just
to support IPSEC offload. I believe a proper solution should introduce an
API which can check if IPSEC is supported, and which all hosts can
implement to report whether IPSEC should be enabled. This is more flexible
than having a mailbox API which is not supported by all hosts.

Signed-off-by: Jacob Keller <jacob.e.keller at intel.com>
---
Jacob Keller (2):
      ixgbevf: stop attempting IPSEC offload on Mailbox API 1.5
      ixgbe: downgrade logging of unsupported VF API version to debug

 drivers/net/ethernet/intel/ixgbe/ixgbe_common.h | 2 ++
 drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c  | 2 +-
 drivers/net/ethernet/intel/ixgbevf/ipsec.c      | 1 -
 3 files changed, 3 insertions(+), 2 deletions(-)
---
base-commit: 0144c06c5890d1ad0eea65df074cffaf4eea5a3c
change-id: 20241028-jk-ixgbevf-mailbox-v1-5-fixes-b9ed56673e99

Best regards,
-- 
Jacob Keller <jacob.e.keller at intel.com>