From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-il-dmz.mellanox.com ([193.47.165.129]:44622 "EHLO mellanox.co.il" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1753209AbeCUVB6 (ORCPT ); Wed, 21 Mar 2018 17:01:58 -0400 From: Saeed Mahameed To: "David S. Miller" Cc: netdev@vger.kernel.org, Dave Watson , Boris Pismenny , Saeed Mahameed Subject: [PATCH V2 net-next 00/14] TLS offload, netdev & MLX5 support Date: Wed, 21 Mar 2018 14:01:32 -0700 Message-Id: <20180321210146.22537-1-saeedm@mellanox.com> Sender: netdev-owner@vger.kernel.org List-ID: Hi Dave, The following series from Ilya and Boris provides TLS TX inline crypto offload. v1->v2: - Added IS_ENABLED(CONFIG_TLS_DEVICE) and a STATIC_KEY for icsk_clean_acked - File license fix - Fix spelling, comment by DaveW - Move memory allocations out of tls_set_device_offload and other misc fixes, comments by Kiril. Boris says: =================== This series adds a generic infrastructure to offload TLS crypto to a network devices. It enables the kernel TLS socket to skip encryption and authentication operations on the transmit side of the data path. Leaving those computationally expensive operations to the NIC. The NIC offload infrastructure builds TLS records and pushes them to the TCP layer just like the SW KTLS implementation and using the same API. TCP segmentation is mostly unaffected. Currently the only exception is that we prevent mixed SKBs where only part of the payload requires offload. In the future we are likely to add a similar restriction following a change cipher spec record. The notable differences between SW KTLS and NIC offloaded TLS implementations are as follows: 1. The offloaded implementation builds "plaintext TLS record", those records contain plaintext instead of ciphertext and place holder bytes instead of authentication tags. 2. The offloaded implementation maintains a mapping from TCP sequence number to TLS records. Thus given a TCP SKB sent from a NIC offloaded TLS socket, we can use the tls NIC offload infrastructure to obtain enough context to encrypt the payload of the SKB. A TLS record is released when the last byte of the record is ack'ed, this is done through the new icsk_clean_acked callback. The infrastructure should be extendable to support various NIC offload implementations. However it is currently written with the implementation below in mind: The NIC assumes that packets from each offloaded stream are sent as plaintext and in-order. It keeps track of the TLS records in the TCP stream. When a packet marked for offload is transmitted, the NIC encrypts the payload in-place and puts authentication tags in the relevant place holders. The responsibility for handling out-of-order packets (i.e. TCP retransmission, qdisc drops) falls on the netdev driver. The netdev driver keeps track of the expected TCP SN from the NIC's perspective. If the next packet to transmit matches the expected TCP SN, the driver advances the expected TCP SN, and transmits the packet with TLS offload indication. If the next packet to transmit does not match the expected TCP SN. The driver calls the TLS layer to obtain the TLS record that includes the TCP of the packet for transmission. Using this TLS record, the driver posts a work entry on the transmit queue to reconstruct the NIC TLS state required for the offload of the out-of-order packet. It updates the expected TCP SN accordingly and transmit the now in-order packet. The same queue is used for packet transmission and TLS context reconstruction to avoid the need for flushing the transmit queue before issuing the context reconstruction request. Expected TCP SN is accessed without a lock, under the assumption that TCP doesn't transmit SKBs from different TX queue concurrently. We assume that packets are not rerouted to a different network device. Paper: https://www.netdevconf.org/1.2/papers/netdevconf-TLS.pdf =================== =================== The series is based on latest net-next: 0466080c751e ("Merge branch 'dsa-mv88e6xxx-some-fixes'") Thanks, Saeed. --- Boris Pismenny (2): MAINTAINERS: Update mlx5 innova driver maintainers MAINTAINERS: Update TLS maintainers Ilya Lesokhin (12): tcp: Add clean acked data hook net: Rename and export copy_skb_header net: Add Software fallback infrastructure for socket dependent offloads net: Add TLS offload netdev ops net: Add TLS TX offload features net/tls: Add generic NIC offload infrastructure net/tls: Support TLS device offload with IPv6 net/mlx5e: Move defines out of ipsec code net/mlx5: Accel, Add TLS tx offload interface net/mlx5e: TLS, Add Innova TLS TX support net/mlx5e: TLS, Add Innova TLS TX offload data path net/mlx5e: TLS, Add error statistics MAINTAINERS | 19 +- drivers/net/ethernet/mellanox/mlx5/core/Kconfig | 11 + drivers/net/ethernet/mellanox/mlx5/core/Makefile | 6 +- .../net/ethernet/mellanox/mlx5/core/accel/tls.c | 71 ++ .../net/ethernet/mellanox/mlx5/core/accel/tls.h | 86 +++ drivers/net/ethernet/mellanox/mlx5/core/en.h | 21 + .../mellanox/mlx5/core/en_accel/en_accel.h | 72 ++ .../ethernet/mellanox/mlx5/core/en_accel/ipsec.h | 3 - .../net/ethernet/mellanox/mlx5/core/en_accel/tls.c | 197 +++++ .../net/ethernet/mellanox/mlx5/core/en_accel/tls.h | 87 +++ .../mellanox/mlx5/core/en_accel/tls_rxtx.c | 278 +++++++ .../mellanox/mlx5/core/en_accel/tls_rxtx.h | 50 ++ .../mellanox/mlx5/core/en_accel/tls_stats.c | 89 +++ drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 9 + drivers/net/ethernet/mellanox/mlx5/core/en_stats.c | 32 + drivers/net/ethernet/mellanox/mlx5/core/en_stats.h | 9 + drivers/net/ethernet/mellanox/mlx5/core/en_tx.c | 37 +- .../net/ethernet/mellanox/mlx5/core/fpga/core.h | 1 + .../net/ethernet/mellanox/mlx5/core/fpga/ipsec.c | 5 +- drivers/net/ethernet/mellanox/mlx5/core/fpga/sdk.h | 2 + drivers/net/ethernet/mellanox/mlx5/core/fpga/tls.c | 563 ++++++++++++++ drivers/net/ethernet/mellanox/mlx5/core/fpga/tls.h | 68 ++ drivers/net/ethernet/mellanox/mlx5/core/main.c | 11 + include/linux/mlx5/mlx5_ifc.h | 16 - include/linux/mlx5/mlx5_ifc_fpga.h | 77 ++ include/linux/netdev_features.h | 2 + include/linux/netdevice.h | 24 + include/linux/skbuff.h | 1 + include/net/inet_connection_sock.h | 2 + include/net/sock.h | 21 + include/net/tcp.h | 5 + include/net/tls.h | 74 +- net/Kconfig | 4 + net/core/dev.c | 4 + net/core/ethtool.c | 1 + net/core/skbuff.c | 9 +- net/ipv4/tcp.c | 5 + net/ipv4/tcp_input.c | 6 + net/tls/Kconfig | 10 + net/tls/Makefile | 2 + net/tls/tls_device.c | 840 +++++++++++++++++++++ net/tls/tls_device_fallback.c | 415 ++++++++++ net/tls/tls_main.c | 33 +- 43 files changed, 3213 insertions(+), 65 deletions(-) create mode 100644 drivers/net/ethernet/mellanox/mlx5/core/accel/tls.c create mode 100644 drivers/net/ethernet/mellanox/mlx5/core/accel/tls.h create mode 100644 drivers/net/ethernet/mellanox/mlx5/core/en_accel/en_accel.h create mode 100644 drivers/net/ethernet/mellanox/mlx5/core/en_accel/tls.c create mode 100644 drivers/net/ethernet/mellanox/mlx5/core/en_accel/tls.h create mode 100644 drivers/net/ethernet/mellanox/mlx5/core/en_accel/tls_rxtx.c create mode 100644 drivers/net/ethernet/mellanox/mlx5/core/en_accel/tls_rxtx.h create mode 100644 drivers/net/ethernet/mellanox/mlx5/core/en_accel/tls_stats.c create mode 100644 drivers/net/ethernet/mellanox/mlx5/core/fpga/tls.c create mode 100644 drivers/net/ethernet/mellanox/mlx5/core/fpga/tls.h create mode 100644 net/tls/tls_device.c create mode 100644 net/tls/tls_device_fallback.c -- 2.14.3