mirror of
https://github.com/torvalds/linux.git
synced 2025-11-04 02:30:34 +02:00
48e01e001d
Based on the original work from Arnd Bergmann.
When XFRM_ALGO is not enabled, the new ixgbe IPsec code produces a
link error:
drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.o: In function `ixgbe_ipsec_vf_add_sa':
ixgbe_ipsec.c:(.text+0x1266): undefined reference to `xfrm_aead_get_byname'
Simply selecting XFRM_ALGO from here causes circular dependencies, so
to fix it, we probably want this slightly more complex solution that is
similar to what other drivers with XFRM offload do:
A separate Kconfig symbol now controls whether we include the IPsec
offload code. To keep the old behavior, this is left as 'default y'. The
dependency in XFRM_OFFLOAD still causes a circular dependency but is
not actually needed because this symbol is not user visible, so removing
that dependency on top makes it all work.
CC: Arnd Bergmann <arnd@arndb.de>
CC: Shannon Nelson <shannon.nelson@oracle.com>
Fixes: eda0333ac2 ("ixgbe: add VF IPsec management")
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Tested-by: Andrew Bowers <andrewx.bowers@intel.com>
96 lines
2.4 KiB
Text
96 lines
2.4 KiB
Text
#
|
|
# XFRM configuration
|
|
#
|
|
config XFRM
|
|
bool
|
|
depends on NET
|
|
select GRO_CELLS
|
|
|
|
config XFRM_OFFLOAD
|
|
bool
|
|
|
|
config XFRM_ALGO
|
|
tristate
|
|
select XFRM
|
|
select CRYPTO
|
|
|
|
config XFRM_USER
|
|
tristate "Transformation user configuration interface"
|
|
depends on INET
|
|
select XFRM_ALGO
|
|
---help---
|
|
Support for Transformation(XFRM) user configuration interface
|
|
like IPsec used by native Linux tools.
|
|
|
|
If unsure, say Y.
|
|
|
|
config XFRM_INTERFACE
|
|
tristate "Transformation virtual interface"
|
|
depends on XFRM && IPV6
|
|
---help---
|
|
This provides a virtual interface to route IPsec traffic.
|
|
|
|
If unsure, say N.
|
|
|
|
config XFRM_SUB_POLICY
|
|
bool "Transformation sub policy support"
|
|
depends on XFRM
|
|
---help---
|
|
Support sub policy for developers. By using sub policy with main
|
|
one, two policies can be applied to the same packet at once.
|
|
Policy which lives shorter time in kernel should be a sub.
|
|
|
|
If unsure, say N.
|
|
|
|
config XFRM_MIGRATE
|
|
bool "Transformation migrate database"
|
|
depends on XFRM
|
|
---help---
|
|
A feature to update locator(s) of a given IPsec security
|
|
association dynamically. This feature is required, for
|
|
instance, in a Mobile IPv6 environment with IPsec configuration
|
|
where mobile nodes change their attachment point to the Internet.
|
|
|
|
If unsure, say N.
|
|
|
|
config XFRM_STATISTICS
|
|
bool "Transformation statistics"
|
|
depends on INET && XFRM && PROC_FS
|
|
---help---
|
|
This statistics is not a SNMP/MIB specification but shows
|
|
statistics about transformation error (or almost error) factor
|
|
at packet processing for developer.
|
|
|
|
If unsure, say N.
|
|
|
|
config XFRM_IPCOMP
|
|
tristate
|
|
select XFRM_ALGO
|
|
select CRYPTO
|
|
select CRYPTO_DEFLATE
|
|
|
|
config NET_KEY
|
|
tristate "PF_KEY sockets"
|
|
select XFRM_ALGO
|
|
---help---
|
|
PF_KEYv2 socket family, compatible to KAME ones.
|
|
They are required if you are going to use IPsec tools ported
|
|
from KAME.
|
|
|
|
Say Y unless you know what you are doing.
|
|
|
|
config NET_KEY_MIGRATE
|
|
bool "PF_KEY MIGRATE"
|
|
depends on NET_KEY
|
|
select XFRM_MIGRATE
|
|
---help---
|
|
Add a PF_KEY MIGRATE message to PF_KEYv2 socket family.
|
|
The PF_KEY MIGRATE message is used to dynamically update
|
|
locator(s) of a given IPsec security association.
|
|
This feature is required, for instance, in a Mobile IPv6
|
|
environment with IPsec configuration where mobile nodes
|
|
change their attachment point to the Internet. Detail
|
|
information can be found in the internet-draft
|
|
<draft-sugimoto-mip6-pfkey-migrate>.
|
|
|
|
If unsure, say N.
|