Re: [PATCH v3 net-next 6/6] tls: Add generic NIC offload infrastructure.
On Tue, Dec 19, 2017 at 03:38:16PM +, Ilya Lesokhin wrote: > Tuesday, December 19, 2017 5:12 PM, Marcelo Ricardo Leitner wrote: > > > > I'm not quite sure what you mean by "no net_device's are registered" > > > Presumably you mean there is no device that implements the > > > NETIF_F_HW_TLS_TX capability yet. > > > > Not really. Let me try again. This patchset is using the expression > > "tls_device". > > When I read that, I expect a new interface type, like a tunnel, that would > > be > > created on top of another interface that has the offloading capability. > > That's > > why I'm confused. IMHO "tls_offload" is a better fit. Makes sense? > > > > We don't expose a new interface. An existing netdev does the offload. > > The xfrm layer also calls the offload layer xfrm_device and It also doesn't > need to > add another interface to offload ipsec to a netdev. Hm right, there is xfrm_dev_init() and others, but there is also XFRM_OFFLOAD as the config define and not XFRM_DEVICE. > > I thought about calling it tls_hw or tls_hw_offload. > The problem is that the important distinction here is that the > offload is done by a netdev. > tls_sw can also use hw offload if you have the required > memory to memory crypto engine and crypto_alloc_aead("gcm(aes)", 0, 0); > decides on using it. Now I can see the confusion in both ways, thanks. And now I don't have a preference either. Marcelo
RE: [PATCH v3 net-next 6/6] tls: Add generic NIC offload infrastructure.
Tuesday, December 19, 2017 5:12 PM, Marcelo Ricardo Leitner wrote: > > I'm not quite sure what you mean by "no net_device's are registered" > > Presumably you mean there is no device that implements the > > NETIF_F_HW_TLS_TX capability yet. > > Not really. Let me try again. This patchset is using the expression > "tls_device". > When I read that, I expect a new interface type, like a tunnel, that would be > created on top of another interface that has the offloading capability. That's > why I'm confused. IMHO "tls_offload" is a better fit. Makes sense? > We don't expose a new interface. An existing netdev does the offload. The xfrm layer also calls the offload layer xfrm_device and It also doesn't need to add another interface to offload ipsec to a netdev. I thought about calling it tls_hw or tls_hw_offload. The problem is that the important distinction here is that the offload is done by a netdev. tls_sw can also use hw offload if you have the required memory to memory crypto engine and crypto_alloc_aead("gcm(aes)", 0, 0); decides on using it.
Re: [PATCH v3 net-next 6/6] tls: Add generic NIC offload infrastructure.
On Tue, Dec 19, 2017 at 07:31:24AM +, Ilya Lesokhin wrote: > On Mon, Monday, December 18, 2017 9:54 PM, Marcelo Ricardo Leitner wrote: > > > On Mon, Dec 18, 2017 at 01:10:33PM +0200, Ilya Lesokhin wrote: > > > This patch adds a generic infrastructure to offload TLS crypto to a > > > network devices. It enables the kernel TLS socket to skip encryption > > > and authentication operations on the transmit side of the data path. > > > Leaving those computationally expensive operations to the NIC. > > > > I have a hard time understanding why this was named 'tls_device' if no > > net_device's are registered. > > > I'm not quite sure what you mean by "no net_device's are registered" > Presumably you mean there is no device that implements the > NETIF_F_HW_TLS_TX capability yet. Not really. Let me try again. This patchset is using the expression "tls_device". When I read that, I expect a new interface type, like a tunnel, that would be created on top of another interface that has the offloading capability. That's why I'm confused. IMHO "tls_offload" is a better fit. Makes sense? > I'll just say that the IPSEC device offload infrastructure was also submitted > https://github.com/torvalds/linux/commit/d77e38e612a017480157fe6d2c1422f42cb5b7e3 > before the first implementation > https://github.com/torvalds/linux/commit/bebb23e6cb02d2fc752905e39d09ff6152852c6c > > And we did provide a link to an implementation > https://github.com/Mellanox/tls-offload/tree/tls_device_v3 > for people who want to take a look. > Unfortunately it is not ready for upstream submission yet Yep, although I still have to get there. Thanks, Marcelo
Re: [PATCH v3 net-next 6/6] tls: Add generic NIC offload infrastructure.
Hi Ilya, I love your patch! Perhaps something to improve: [auto build test WARNING on net-next/master] url: https://github.com/0day-ci/linux/commits/Ilya-Lesokhin/tls-Add-generic-NIC-offload-infrastructure/20171219-140819 reproduce: # apt-get install sparse make ARCH=x86_64 allmodconfig make C=1 CF=-D__CHECK_ENDIAN__ sparse warnings: (new ones prefixed by >>) Please review and possibly fold the followup patch. vim +649 net/tls/tls_device.c 547 548 int tls_set_device_offload(struct sock *sk, struct tls_context *ctx) 549 { 550 struct tls_crypto_info *crypto_info; 551 struct tls_offload_context *offload_ctx; 552 struct tls_record_info *start_marker_record; 553 u16 nonece_size, tag_size, iv_size, rec_seq_size; 554 char *iv, *rec_seq; 555 int rc; 556 struct net_device *netdev; 557 struct sk_buff *skb; 558 559 if (!ctx) { 560 rc = -EINVAL; 561 goto out; 562 } 563 564 if (ctx->priv_ctx) { 565 rc = -EEXIST; 566 goto out; 567 } 568 569 /* We support starting offload on multiple sockets 570 * concurrently, So we only need a read lock here. 571 */ 572 percpu_down_read(&device_offload_lock); 573 netdev = get_netdev_for_sock(sk); 574 if (!netdev) { 575 pr_err("%s: netdev not found\n", __func__); 576 rc = -EINVAL; 577 goto release_lock; 578 } 579 580 if (!(netdev->features & NETIF_F_HW_TLS_TX)) { 581 rc = -ENOTSUPP; 582 goto release_netdev; 583 } 584 585 /* Avoid offloading if the device is down 586 * We don't want to offload new flows after 587 * the NETDEV_DOWN event 588 */ 589 if (!(netdev->flags & IFF_UP)) { 590 rc = -EINVAL; 591 goto release_lock; 592 } 593 594 crypto_info = &ctx->crypto_send; 595 switch (crypto_info->cipher_type) { 596 case TLS_CIPHER_AES_GCM_128: { 597 nonece_size = TLS_CIPHER_AES_GCM_128_IV_SIZE; 598 tag_size = TLS_CIPHER_AES_GCM_128_TAG_SIZE; 599 iv_size = TLS_CIPHER_AES_GCM_128_IV_SIZE; 600 iv = ((struct tls12_crypto_info_aes_gcm_128 *)crypto_info)->iv; 601 rec_seq_size = TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE; 602 rec_seq = 603 ((struct tls12_crypto_info_aes_gcm_128 *)crypto_info)->rec_seq; 604 break; 605 } 606 default: 607 rc = -EINVAL; 608 goto release_netdev; 609 } 610 611 start_marker_record = kmalloc(sizeof(*start_marker_record), GFP_KERNEL); 612 if (!start_marker_record) { 613 rc = -ENOMEM; 614 goto release_netdev; 615 } 616 617 rc = attach_sock_to_netdev(sk, netdev, ctx); 618 if (rc) 619 goto free_marker_record; 620 621 ctx->netdev = netdev; 622 623 ctx->prepend_size = TLS_HEADER_SIZE + nonece_size; 624 ctx->tag_size = tag_size; 625 ctx->iv_size = iv_size; 626 ctx->iv = kmalloc(iv_size + TLS_CIPHER_AES_GCM_128_SALT_SIZE, 627GFP_KERNEL); 628 if (!ctx->iv) { 629 rc = -ENOMEM; 630 goto detach_sock; 631 } 632 633 memcpy(ctx->iv + TLS_CIPHER_AES_GCM_128_SALT_SIZE, rec_seq, iv_size); 634 635 ctx->rec_seq_size = rec_seq_size; 636 ctx->rec_seq = kmalloc(rec_seq_size, GFP_KERNEL); 637 if (!ctx->rec_seq) { 638 rc = -ENOMEM; 639 goto err_iv; 640 } 641 memcpy(ctx->rec_seq, rec_seq, rec_seq_size); 642 643 offload_ctx = ctx->priv_ctx; 644 memcpy(&offload_ctx->unacked_record_sn, rec_seq, 645 sizeof(offload_ctx->unacked_record_sn)); 646 647 /* start at rec_seq -1 to account for the start marker record */ 648 offload_ctx->unacked_record_sn = > 649 be64_to_cpu(offload_ctx->unacked_record_sn) - 1; 650 651 rc = tls_sw_fallback_init(sk, offload_ctx, crypto_info); 652 if (rc) 653 goto err_iv; 654 655 start_marker_record->end_seq = tcp_sk(sk)->write_seq; 656 start_marker_record->len = 0; 657 start_marker_record->num_frags = 0; 65
RE: [PATCH v3 net-next 6/6] tls: Add generic NIC offload infrastructure.
On Mon, Monday, December 18, 2017 9:54 PM, Marcelo Ricardo Leitner wrote: > On Mon, Dec 18, 2017 at 01:10:33PM +0200, Ilya Lesokhin wrote: > > This patch adds a generic infrastructure to offload TLS crypto to a > > network devices. It enables the kernel TLS socket to skip encryption > > and authentication operations on the transmit side of the data path. > > Leaving those computationally expensive operations to the NIC. > > I have a hard time understanding why this was named 'tls_device' if no > net_device's are registered. > I'm not quite sure what you mean by "no net_device's are registered" Presumably you mean there is no device that implements the NETIF_F_HW_TLS_TX capability yet. I'll just say that the IPSEC device offload infrastructure was also submitted https://github.com/torvalds/linux/commit/d77e38e612a017480157fe6d2c1422f42cb5b7e3 before the first implementation https://github.com/torvalds/linux/commit/bebb23e6cb02d2fc752905e39d09ff6152852c6c And we did provide a link to an implementation https://github.com/Mellanox/tls-offload/tree/tls_device_v3 for people who want to take a look. Unfortunately it is not ready for upstream submission yet > > + percpu_down_read(&device_offload_lock); > > + netdev = get_netdev_for_sock(sk); > > + if (!netdev) { > > + pr_err("%s: netdev not found\n", __func__); > > _ratelimit? > Thanks, we will fix it in the future.
Re: [PATCH v3 net-next 6/6] tls: Add generic NIC offload infrastructure.
Hi Ilya, I love your patch! Yet something to improve: [auto build test ERROR on net-next/master] url: https://github.com/0day-ci/linux/commits/Ilya-Lesokhin/tls-Add-generic-NIC-offload-infrastructure/20171219-140819 config: tile-allmodconfig (attached as .config) compiler: tilegx-linux-gcc (GCC) 7.2.0 reproduce: wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross chmod +x ~/bin/make.cross # save the attached .config to linux build tree make.cross ARCH=tile All errors (new ones prefixed by >>): net/tls/tls_device_fallback.c: In function 'update_chksum': >> net/tls/tls_device_fallback.c:190:16: error: implicit declaration of >> function 'csum_ipv6_magic'; did you mean 'csum_tcpudp_magic'? >> [-Werror=implicit-function-declaration] th->check = ~csum_ipv6_magic(&ipv6h->saddr, &ipv6h->daddr, ^~~ csum_tcpudp_magic cc1: some warnings being treated as errors vim +190 net/tls/tls_device_fallback.c 166 167 static inline void update_chksum(struct sk_buff *skb, int headln) 168 { 169 /* Can't use icsk->icsk_af_ops->send_check here because the ip addresses 170 * might have been changed by NAT. 171 */ 172 173 const struct ipv6hdr *ipv6h; 174 const struct iphdr *iph; 175 struct tcphdr *th = tcp_hdr(skb); 176 int datalen = skb->len - headln; 177 178 /* We only changed the payload so if we are using partial we don't 179 * need to update anything. 180 */ 181 if (likely(skb->ip_summed == CHECKSUM_PARTIAL)) 182 return; 183 184 skb->ip_summed = CHECKSUM_PARTIAL; 185 skb->csum_start = skb_transport_header(skb) - skb->head; 186 skb->csum_offset = offsetof(struct tcphdr, check); 187 188 if (skb->sk->sk_family == AF_INET6) { 189 ipv6h = ipv6_hdr(skb); > 190 th->check = ~csum_ipv6_magic(&ipv6h->saddr, > &ipv6h->daddr, 191 datalen, IPPROTO_TCP, 0); 192 } else { 193 iph = ip_hdr(skb); 194 th->check = ~csum_tcpudp_magic(iph->saddr, iph->daddr, datalen, 195 IPPROTO_TCP, 0); 196 } 197 } 198 --- 0-DAY kernel test infrastructureOpen Source Technology Center https://lists.01.org/pipermail/kbuild-all Intel Corporation .config.gz Description: application/gzip
Re: [PATCH v3 net-next 6/6] tls: Add generic NIC offload infrastructure.
Hi Ilya, I love your patch! Perhaps something to improve: [auto build test WARNING on net-next/master] url: https://github.com/0day-ci/linux/commits/Ilya-Lesokhin/tls-Add-generic-NIC-offload-infrastructure/20171219-140819 config: xtensa-allmodconfig (attached as .config) compiler: xtensa-linux-gcc (GCC) 7.2.0 reproduce: wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross chmod +x ~/bin/make.cross # save the attached .config to linux build tree make.cross ARCH=xtensa All warnings (new ones prefixed by >>): net//tls/tls_device_fallback.c: In function 'tls_sw_fallback': >> net//tls/tls_device_fallback.c:360:1: warning: the frame size of 1040 bytes >> is larger than 1024 bytes [-Wframe-larger-than=] } ^ vim +360 net//tls/tls_device_fallback.c 214 215 /* This function may be called after the user socket is already 216 * closed so make sure we don't use anything freed during 217 * tls_sk_proto_close here 218 */ 219 struct sk_buff *tls_sw_fallback(struct sock *sk, struct sk_buff *skb) 220 { 221 int tcp_header_size = tcp_hdrlen(skb); 222 int tcp_payload_offset = skb_transport_offset(skb) + tcp_header_size; 223 int payload_len = skb->len - tcp_payload_offset; 224 struct tls_context *tls_ctx = tls_get_ctx(sk); 225 struct tls_offload_context *ctx = tls_offload_ctx(tls_ctx); 226 int remaining, buf_len, resync_sgs, rc, i = 0; 227 void *buf, *dummy_buf, *iv, *aad; 228 struct scatterlist sg_in[2 * (MAX_SKB_FRAGS + 1)]; 229 struct scatterlist sg_out[3]; 230 u32 tcp_seq = ntohl(tcp_hdr(skb)->seq); 231 struct aead_request *aead_req; 232 struct sk_buff *nskb = NULL; 233 struct tls_record_info *record; 234 unsigned long flags; 235 s32 sync_size; 236 u64 rcd_sn; 237 238 if (!payload_len) 239 return skb; 240 241 sg_init_table(sg_in, ARRAY_SIZE(sg_in)); 242 sg_init_table(sg_out, ARRAY_SIZE(sg_out)); 243 244 spin_lock_irqsave(&ctx->lock, flags); 245 record = tls_get_record(ctx, tcp_seq, &rcd_sn); 246 if (!record) { 247 spin_unlock_irqrestore(&ctx->lock, flags); 248 WARN(1, "Record not found for seq %u\n", tcp_seq); 249 goto free_orig; 250 } 251 252 sync_size = tcp_seq - tls_record_start_seq(record); 253 if (sync_size < 0) { 254 int is_start_marker = tls_record_is_start_marker(record); 255 256 spin_unlock_irqrestore(&ctx->lock, flags); 257 if (!is_start_marker) 258 /* This should only occur if the relevant record was 259 * already acked. In that case it should be ok 260 * to drop the packet and avoid retransmission. 261 * 262 * There is a corner case where the packet contains 263 * both an acked and a non-acked record. 264 * We currently don't handle that case and rely 265 * on TCP to retranmit a packet that doesn't contain 266 * already acked payload. 267 */ 268 goto free_orig; 269 270 if (payload_len > -sync_size) { 271 WARN(1, "Fallback of partially offloaded packets is not supported\n"); 272 goto free_orig; 273 } else { 274 return skb; 275 } 276 } 277 278 remaining = sync_size; 279 while (remaining > 0) { 280 skb_frag_t *frag = &record->frags[i]; 281 282 __skb_frag_ref(frag); 283 sg_set_page(sg_in + i, skb_frag_page(frag), 284 skb_frag_size(frag), frag->page_offset); 285 286 remaining -= skb_frag_size(frag); 287 288 if (remaining < 0) 289 sg_in[i].length += remaining; 290 291 i++; 292 } 293 spin_unlock_irqrestore(&ctx->lock, flags); 294 resync_sgs = i; 295 296 aead_req = tls_alloc_aead_request(ctx->aead_send, GFP_ATOMIC); 297 if (!aead_req) 298 goto put_sg; 299 300 buf_len = TLS_CIPHER_AES_GCM_128_SALT_SIZE + 301TLS_CIPHER_AES_GCM_128_IV_SIZE + 302TLS_AAD_SPACE_SIZE + 303sync_size + 304tls_ctx->tag_size; 305 buf = kma
Re: [PATCH v3 net-next 6/6] tls: Add generic NIC offload infrastructure.
On Mon, Dec 18, 2017 at 01:10:33PM +0200, Ilya Lesokhin wrote: > This patch adds a generic infrastructure to offload TLS crypto to a > network devices. It enables the kernel TLS socket to skip encryption > and authentication operations on the transmit side of the data path. > Leaving those computationally expensive operations to the NIC. I have a hard time understanding why this was named 'tls_device' if no net_device's are registered. > > The NIC offload infrastructure builds TLS records and pushes them to > the TCP layer just like the SW KTLS implementation and using the same API. > TCP segmentation is mostly unaffected. Currently the only exception is > that we prevent mixed SKBs where only part of the payload requires > offload. In the future we are likely to add a similar restriction > following a change cipher spec record. > > The notable differences between SW KTLS and NIC offloaded TLS > implementations are as follows: > 1. The offloaded implementation builds "plaintext TLS record", those > records contain plaintext instead of ciphertext and place holder bytes > instead of authentication tags. > 2. The offloaded implementation maintains a mapping from TCP sequence > number to TLS records. Thus given a TCP SKB sent from a NIC offloaded > TLS socket, we can use the tls NIC offload infrastructure to obtain > enough context to encrypt the payload of the SKB. > A TLS record is released when the last byte of the record is ack'ed, > this is done through the new icsk_clean_acked callback. > > The infrastructure should be extendable to support various NIC offload > implementations. However it is currently written with the > implementation below in mind: > The NIC assumes that packets from each offloaded stream are sent as > plaintext and in-order. It keeps track of the TLS records in the TCP > stream. When a packet marked for offload is transmitted, the NIC > encrypts the payload in-place and puts authentication tags in the > relevant place holders. > > The responsibility for handling out-of-order packets (i.e. TCP > retransmission, qdisc drops) falls on the netdev driver. > > The netdev driver keeps track of the expected TCP SN from the NIC's > perspective. If the next packet to transmit matches the expected TCP > SN, the driver advances the expected TCP SN, and transmits the packet > with TLS offload indication. > > If the next packet to transmit does not match the expected TCP SN. The > driver calls the TLS layer to obtain the TLS record that includes the > TCP of the packet for transmission. Using this TLS record, the driver > posts a work entry on the transmit queue to reconstruct the NIC TLS > state required for the offload of the out-of-order packet. It updates > the expected TCP SN accordingly and transmit the now in-order packet. > The same queue is used for packet transmission and TLS context > reconstruction to avoid the need for flushing the transmit queue before > issuing the context reconstruction request. > > Signed-off-by: Boris Pismenny > Signed-off-by: Ilya Lesokhin > Signed-off-by: Aviad Yehezkel > --- > include/net/tls.h | 62 +++- > net/tls/Kconfig | 9 + > net/tls/Makefile | 3 + > net/tls/tls_device.c | 800 > ++ > net/tls/tls_device_fallback.c | 405 + > net/tls/tls_main.c| 33 +- > 6 files changed, 1305 insertions(+), 7 deletions(-) > create mode 100644 net/tls/tls_device.c > create mode 100644 net/tls/tls_device_fallback.c > > diff --git a/include/net/tls.h b/include/net/tls.h > index 936cfc5cab7d..9c1b5d13d9a7 100644 > --- a/include/net/tls.h > +++ b/include/net/tls.h > @@ -75,6 +75,29 @@ struct tls_sw_context { > struct scatterlist sg_aead_out[2]; > }; > > +struct tls_record_info { > + struct list_head list; > + u32 end_seq; > + int len; > + int num_frags; > + skb_frag_t frags[MAX_SKB_FRAGS]; > +}; > + > +struct tls_offload_context { > + struct crypto_aead *aead_send; > + > + struct list_head records_list; > + struct scatterlist sg_tx_data[MAX_SKB_FRAGS]; > + void (*sk_destruct)(struct sock *sk); > + struct tls_record_info *open_record; > + struct tls_record_info *retransmit_hint; > + u64 hint_record_sn; > + u64 unacked_record_sn; > + > + u32 expected_seq; > + spinlock_t lock;/* protects records list */ > +}; > + > enum { > TLS_PENDING_CLOSED_RECORD > }; > @@ -85,6 +108,10 @@ struct tls_context { > struct tls12_crypto_info_aes_gcm_128 crypto_send_aes_gcm_128; > }; > > + struct list_head list; > + struct net_device *netdev; > + refcount_t refcount; > + > void *priv_ctx; > > u8 tx_conf:2; > @@ -129,9 +156,29 @@ int tls_sw_sendpage(struct sock *sk, struct page *page, > void tls_sw_close(struct sock *sk, long timeout); > void tls_sw_free_tx_resources(struct sock *sk); > > -void tls_sk_destruct(struct sock *
[PATCH v3 net-next 6/6] tls: Add generic NIC offload infrastructure.
This patch adds a generic infrastructure to offload TLS crypto to a network devices. It enables the kernel TLS socket to skip encryption and authentication operations on the transmit side of the data path. Leaving those computationally expensive operations to the NIC. The NIC offload infrastructure builds TLS records and pushes them to the TCP layer just like the SW KTLS implementation and using the same API. TCP segmentation is mostly unaffected. Currently the only exception is that we prevent mixed SKBs where only part of the payload requires offload. In the future we are likely to add a similar restriction following a change cipher spec record. The notable differences between SW KTLS and NIC offloaded TLS implementations are as follows: 1. The offloaded implementation builds "plaintext TLS record", those records contain plaintext instead of ciphertext and place holder bytes instead of authentication tags. 2. The offloaded implementation maintains a mapping from TCP sequence number to TLS records. Thus given a TCP SKB sent from a NIC offloaded TLS socket, we can use the tls NIC offload infrastructure to obtain enough context to encrypt the payload of the SKB. A TLS record is released when the last byte of the record is ack'ed, this is done through the new icsk_clean_acked callback. The infrastructure should be extendable to support various NIC offload implementations. However it is currently written with the implementation below in mind: The NIC assumes that packets from each offloaded stream are sent as plaintext and in-order. It keeps track of the TLS records in the TCP stream. When a packet marked for offload is transmitted, the NIC encrypts the payload in-place and puts authentication tags in the relevant place holders. The responsibility for handling out-of-order packets (i.e. TCP retransmission, qdisc drops) falls on the netdev driver. The netdev driver keeps track of the expected TCP SN from the NIC's perspective. If the next packet to transmit matches the expected TCP SN, the driver advances the expected TCP SN, and transmits the packet with TLS offload indication. If the next packet to transmit does not match the expected TCP SN. The driver calls the TLS layer to obtain the TLS record that includes the TCP of the packet for transmission. Using this TLS record, the driver posts a work entry on the transmit queue to reconstruct the NIC TLS state required for the offload of the out-of-order packet. It updates the expected TCP SN accordingly and transmit the now in-order packet. The same queue is used for packet transmission and TLS context reconstruction to avoid the need for flushing the transmit queue before issuing the context reconstruction request. Signed-off-by: Boris Pismenny Signed-off-by: Ilya Lesokhin Signed-off-by: Aviad Yehezkel --- include/net/tls.h | 62 +++- net/tls/Kconfig | 9 + net/tls/Makefile | 3 + net/tls/tls_device.c | 800 ++ net/tls/tls_device_fallback.c | 405 + net/tls/tls_main.c| 33 +- 6 files changed, 1305 insertions(+), 7 deletions(-) create mode 100644 net/tls/tls_device.c create mode 100644 net/tls/tls_device_fallback.c diff --git a/include/net/tls.h b/include/net/tls.h index 936cfc5cab7d..9c1b5d13d9a7 100644 --- a/include/net/tls.h +++ b/include/net/tls.h @@ -75,6 +75,29 @@ struct tls_sw_context { struct scatterlist sg_aead_out[2]; }; +struct tls_record_info { + struct list_head list; + u32 end_seq; + int len; + int num_frags; + skb_frag_t frags[MAX_SKB_FRAGS]; +}; + +struct tls_offload_context { + struct crypto_aead *aead_send; + + struct list_head records_list; + struct scatterlist sg_tx_data[MAX_SKB_FRAGS]; + void (*sk_destruct)(struct sock *sk); + struct tls_record_info *open_record; + struct tls_record_info *retransmit_hint; + u64 hint_record_sn; + u64 unacked_record_sn; + + u32 expected_seq; + spinlock_t lock;/* protects records list */ +}; + enum { TLS_PENDING_CLOSED_RECORD }; @@ -85,6 +108,10 @@ struct tls_context { struct tls12_crypto_info_aes_gcm_128 crypto_send_aes_gcm_128; }; + struct list_head list; + struct net_device *netdev; + refcount_t refcount; + void *priv_ctx; u8 tx_conf:2; @@ -129,9 +156,29 @@ int tls_sw_sendpage(struct sock *sk, struct page *page, void tls_sw_close(struct sock *sk, long timeout); void tls_sw_free_tx_resources(struct sock *sk); -void tls_sk_destruct(struct sock *sk, struct tls_context *ctx); -void tls_icsk_clean_acked(struct sock *sk); +void tls_clear_device_offload(struct sock *sk, struct tls_context *ctx); +int tls_set_device_offload(struct sock *sk, struct tls_context *ctx); +int tls_device_sendmsg(struct sock *sk, struct msghdr *msg, size_t size); +int tls_device_sendpage(struct sock *sk, struct page *