The code currently always references the first page in the
frag therefore there is no need to pay the extra overhead
of making the frag page compound
Signed-off-by: Ilya Lesokhin <il...@mellanox.com>
---
net/core/sock.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ne
umazet [mailto:eric.duma...@gmail.com]
> Sent: Thursday, August 04, 2016 4:25 PM
> To: Ilya Lesokhin <il...@mellanox.com>
> Cc: netdev@vger.kernel.org; eduma...@google.com
> Subject: Re: [PATCH] net: use non-compound pages in frag allocator
>
> On Thu, 2016-08-04 at 15
Hi,
I've notice that tcp_can_collapse() returns false if skb_shinfo(skb)->nr_frags
!= 0.
Is there a reason why we want to base the collapse decision in retransmission
on whether
the data is located in a frag or the linear part?
The relevant commit is
tcp: collapse more than two on
Want to be able to use these in TLS.
Signed-off-by: Boris Pismenny
---
net/ipv6/tcp_ipv6.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
index 2521690..ef8d5b4 100644
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@
oto structs and uses them when
attached to ipv6 sockets.
Signed-off-by: Boris Pismenny <bor...@mellanox.com>
Signed-off-by: Ilya Lesokhin <il...@mellanox.com>
---
net/tls/Kconfig| 1 +
net/tls/tls_main.c | 50 ++
2 files changed
With this patch IPV6 code ensure that only sockets with the
expected sk->sk_prot are converted to IPV4.
Signed-off-by: Boris Pismenny
---
net/ipv6/ipv6_sockglue.c | 12
1 file changed, 12 insertions(+)
diff --git a/net/ipv6/ipv6_sockglue.c
ier kernel.
- tls_init now checks sk->sk_prot directly
This is somewhat safer then checking indirectly through sk->sk_family
Ilya Lesokhin (3):
ipv6: Prevent unexpected sk->sk_prot changes
net: Export tcpv6_prot
tls: Use correct sk->sk_prot for IPV6
net/ipv6/ipv6_sockglue.c | 12 ++
With this patch IPV6 code ensure that only sockets with the
expected sk->sk_prot are converted to IPV4.
Signed-off-by: Boris Pismenny
---
net/ipv6/ipv6_sockglue.c | 12
1 file changed, 12 insertions(+)
diff --git a/net/ipv6/ipv6_sockglue.c
Fix tls code to use the correct sk->sk_prot for IPV6.
Previously it was tcp_prot of IPV4 was used.
Boris Pismenny (1):
net: Export tcpv6_prot
Ilya Lesokhin (2):
ipv6: Prevent unexpected sk->sk_prot changes
tls: Use correct sk->sk_prot for IPV6
net/ipv6/ipv6_sockgl
The code assumed that only IP version 4 TCP sk->sk_prot was
being used. Now it checks for IPV6 and sets sk->sk_prot
accordingly.
Signed-off-by: Boris Pismenny <bor...@mellanox.com>
Signed-off-by: Ilya Lesokhin <il...@mellanox.com>
---
net/t
From: Boris Pismenny
Want to be able to use these in TLS.
Signed-off-by: Boris Pismenny
---
net/ipv6/tcp_ipv6.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
index 2521690..e3a44a5 100644
---
> -Original Message-
> From: Eric Dumazet [mailto:eric.duma...@gmail.com]
> Sent: Tuesday, August 15, 2017 5:46 PM
> To: Boris Pismenny <bor...@mellanox.com>
> Cc: Ilya Lesokhin <il...@mellanox.com>; netdev@vger.kernel.org;
> da...@davemloft.net; davejwat...@
umazet [mailto:eric.duma...@gmail.com]
> Sent: Thursday, May 4, 2017 9:33 PM
> To: Ilya Lesokhin <il...@mellanox.com>
> Cc: netdev@vger.kernel.org; tls-fpga-sw-dev d...@mellanox.com>; Dave Watson <davejwat...@fb.com>
> Subject: Re: Why do we need MSG_SENDPAGE_NOTLAST?
>
I don't understand the need for MSG_SENDPAGE_NOTLAST and I'm hoping someone can
enlighten me.
According to commit 35f9c09 ('tcp: tcp_sendpages() should call tcp_push()
once'):
"We need to call tcp_flush() at the end of the last page processed in
tcp_sendpages(), or else transmits can be
This patch adds a netdev feature to configure TLS TX offloads.
Signed-off-by: Boris Pismenny <bor...@mellanox.com>
Signed-off-by: Ilya Lesokhin <il...@mellanox.com>
Signed-off-by: Aviad Yehezkel <avia...@mellanox.com>
---
include/linux/netdev_features.h | 2 ++
Add new netdev ops to add and delete tls context
Signed-off-by: Boris Pismenny <bor...@mellanox.com>
Signed-off-by: Ilya Lesokhin <il...@mellanox.com>
Signed-off-by: Aviad Yehezkel <avia...@mellanox.com>
---
include/linux/netdevice.h | 21 +
1 file chan
he context reconstruction request.
Signed-off-by: Boris Pismenny <bor...@mellanox.com>
Signed-off-by: Ilya Lesokhin <il...@mellanox.com>
Signed-off-by: Aviad Yehezkel <avia...@mellanox.com>
---
include/net/tls.h| 41 +++-
net/tls/Kconfig | 9 +
net/tls/Makefile |
llanox/tls-offload/tree/tls_device_v1
Paper: https://www.netdevconf.org/1.2/papers/netdevconf-TLS.pdf
Ilya Lesokhin (5):
tls: Move release of tls_ctx into tls_sw_free_resources
tcp: Add clean acked data hook
net: Add TLS offload netdev ops
net: Add TLS TX offload features
tls: Add g
Move release of tls_ctx into sw specific code.
This is required because the device offload implementation
requires this context to remain alive until there are
no more in-flight SKBs.
Signed-off-by: Boris Pismenny <bor...@mellanox.com>
Signed-off-by: Ilya Lesokhin <il...@mellanox.com>
com>
Signed-off-by: Ilya Lesokhin <il...@mellanox.com>
Signed-off-by: Aviad Yehezkel <avia...@mellanox.com>
---
include/net/inet_connection_sock.h | 2 ++
net/ipv4/tcp_input.c | 3 +++
2 files changed, 5 insertions(+)
diff --git a/include/net/inet_connection_soc
Hannes Frederic Sowa writes:
> The user should be aware of that they can't migrate the socket to another
> interface if they got hw offloaded. This is not the case for software offload.
> Thus I think the user has to opt in and it shouldn't be a heuristic until we
>
Want to be able to use these in TLS.
Signed-off-by: Boris Pismenny
---
net/ipv6/tcp_ipv6.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
index 38f76d8..60d0629 100644
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@
oto structs and uses them when
attached to ipv6 sockets.
Fixes: 3c4d7559159b ('tls: kernel TLS support')
Signed-off-by: Boris Pismenny <bor...@mellanox.com>
Signed-off-by: Ilya Lesokhin <il...@mellanox.com>
---
net/tls/Kconfig| 1 +
net/tls/
nel.
- tls_init now checks sk->sk_prot directly
This is somewhat safer then checking indirectly through sk->sk_family
Ilya Lesokhin (2):
net: Export tcpv6_prot
tls: Use correct sk->sk_prot for IPV6
net/ipv6/tcp_ipv6.c | 1 +
net/tls/Kcon
Avoid copying crypto_info again after cipher_type check
to avoid a TOCTOU exploits.
The temporary array on the stack is removed as we don't really need it
Fixes: 3c4d7559159b ('tls: kernel TLS support')
Signed-off-by: Ilya Lesokhin <il...@mellanox.com>
---
net/tls/tls_main.
If we fail to enable tls in the kernel we shouldn't override
the sk_write_space callback
Fixes: 3c4d7559159b ('tls: kernel TLS support')
Signed-off-by: Ilya Lesokhin <il...@mellanox.com>
---
net/tls/tls_main.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/n
onf == TLS_BASE_TX.
This patch also removes ctx->free_resources as we can use ctx->tx_conf
to obtain the relevant information.
Fixes: 3c4d7559159b ('tls: kernel TLS support')
Signed-off-by: Ilya Lesokhin <il...@mellanox.com>
---
include/net/tls.h | 2 +-
net/tls/
/msg2608603.html
Patch 6 Avoids callback overriding when tls_set_sw_offload fails.
Ilya Lesokhin (6):
tls: Use kzalloc for aead_request allocation
tls: Add function to update the TLS socket configuration
tls: Fix TLS ulp context leak, when TLS_TX setsockopt is not used.
tls: Move tls_make_aad
Use kzalloc for aead_request allocation as
we don't set all the bits in the request.
Fixes: 3c4d7559159b ('tls: kernel TLS support')
Signed-off-by: Ilya Lesokhin <il...@mellanox.com>
---
net/tls/tls_sw.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/tls/tls_sw.c
move tls_make_aad as it is going to be reused
by the device offload code and rx path.
Remove unused recv parameter.
Signed-off-by: Ilya Lesokhin <il...@mellanox.com>
---
include/net/tls.h | 15 +++
net/tls/tls_sw.c | 18 +-
2 files changed, 16 insertions(
The tx configuration is now stored in ctx->tx_conf.
And sk->sk_prot is updated trough a function
This will simplify things when we add rx
and support for different possible
tx and rx cross configurations.
Signed-off-by: Ilya Lesokhin <il...@mellanox.com>
---
include/net/tls.h | 2
Add new netdev ops to add and delete tls context
Signed-off-by: Boris Pismenny <bor...@mellanox.com>
Signed-off-by: Ilya Lesokhin <il...@mellanox.com>
Signed-off-by: Aviad Yehezkel <avia...@mellanox.com>
---
include/linux/netdevice.h | 23 +++
1 file chan
he context reconstruction request.
Signed-off-by: Boris Pismenny <bor...@mellanox.com>
Signed-off-by: Ilya Lesokhin <il...@mellanox.com>
Signed-off-by: Aviad Yehezkel <avia...@mellanox.com>
---
include/net/tls.h | 62 +++-
net/tls/Kconfig | 9 +
net/tls
copy_skb_header is renamed to skb_copy_header and
exported. Exposing this function give more flexibility
in copying SKBs.
skb_copy and skb_copy_expand do not give enough control
over which parts are copied.
Signed-off-by: Ilya Lesokhin <il...@mellanox.com>
Signed-off-by: Boris Pismenn
papers/netdevconf-TLS.pdf
Ilya Lesokhin (6):
tcp: Add clean acked data hook
net: Rename and export copy_skb_header
net: Add SW fallback infrastructure for offloaded sockets
net: Add TLS offload netdev ops
net: Add TLS TX offload features
tls: Add generic NIC offload infrastructure.
include
This patch adds a netdev feature to configure TLS TX offloads.
Signed-off-by: Boris Pismenny <bor...@mellanox.com>
Signed-off-by: Ilya Lesokhin <il...@mellanox.com>
Signed-off-by: Aviad Yehezkel <avia...@mellanox.com>
---
include/linux/netdev_features.h | 2 ++
com>
Signed-off-by: Ilya Lesokhin <il...@mellanox.com>
Signed-off-by: Aviad Yehezkel <avia...@mellanox.com>
---
include/net/inet_connection_sock.h | 2 ++
net/ipv4/tcp_input.c | 3 +++
2 files changed, 5 insertions(+)
diff --git a/include/net/inet_connection_soc
Offloaded sockets rely on the netdev to transform the transmitted
packets before sending them over the network.
When a packet from an offloaded socket is looped back or
rerouted to a different device we need to detect it and
do the transformation in software
Signed-off-by: Ilya Lesokhin <
Tuesday, December 19, 2017 5:12 PM, Marcelo Ricardo Leitner wrote:
> > I'm not quite sure what you mean by "no net_device's are registered"
> > Presumably you mean there is no device that implements the
> > NETIF_F_HW_TLS_TX capability yet.
>
> Not really. Let me try again. This patchset is
> > diff --git a/net/core/dev.c b/net/core/dev.c
> > index b0eee49a2489..6a78d9046674 100644
> > --- a/net/core/dev.c
> > +++ b/net/core/dev.c
> > @@ -3051,6 +3051,10 @@ static struct sk_buff *validate_xmit_skb(struct
> sk_buff *skb, struct net_device
> > if (unlikely(!skb))
> >
> 1) tcp_ack() is already very expensive.
>
I'm not sure how what we should do with that comment. We need
Some trigger to free TLS records. tcp_ack seemed like a reasonable
Trigger.
> 2) Since you do not pass any state here, this looks very suspicious to
> me.
>
The state we need is the
>
> TLS records should be attached to skbs ?
>
> It seems more reasonable to free TLS when skb are freed, and not in
> general tcp_ack() path.
We've considered it, but then we would have to touch all the places the TCP
stack splits or merges SKBs. Seems more intrusive.
>
> >
> > > 2) Since
On Monday, December 18, 2017 9:18 PM, Marcelo Ricardo Leitner wrote:
> > +
> > + if (sk && sk_fullsock(sk) && sk->sk_offload_check)
>
> Isn't this going to hurt the fast path, checking for sk fields here?
>
We do add code to the fast path but it seems unavoidable if you want to have SW
On Mon, Monday, December 18, 2017 9:54 PM, Marcelo Ricardo Leitner wrote:
> On Mon, Dec 18, 2017 at 01:10:33PM +0200, Ilya Lesokhin wrote:
> > This patch adds a generic infrastructure to offload TLS crypto to a
> > network devices. It enables the kernel TLS socket to
onf == TLS_BASE_TX.
This patch also removes ctx->free_resources as we can use ctx->tx_conf
to obtain the relevant information.
Fixes: 3c4d7559159b ('tls: kernel TLS support')
Signed-off-by: Ilya Lesokhin <il...@mellanox.com>
---
include/net/tls.h | 2 +-
net/tls/
tue for offloaded socket fallback
patches 10-11 add new NDOs and capabilities.
patch 12 adds the TLS NIC offload infrastructure.
Github with mlx5e TLS offload support:
https://github.com/Mellanox/tls-offload/tree/tls_device_v2
Paper: https://www.netdevconf.org/1.2/papers/netdevconf-TLS.pdf
Ilya Lesok
Offloaded sockets rely on the netdev to transform the transmitted
packets before sending them over the network.
When a packet from an offloaded socket is looped back or
rerouted to a different device we need to detect it and
do the transformation in software
Signed-off-by: Ilya Lesokhin <
move tls_make_aad as it is going to be reused
by the device offload code
Signed-off-by: Ilya Lesokhin <il...@mellanox.com>
---
include/net/tls.h | 15 +++
net/tls/tls_sw.c | 18 +-
2 files changed, 16 insertions(+), 17 deletions(-)
diff --git a/include/net/t
The tx configuration is now stored in ctx->tx_conf.
And sk->sk_prot is updated trough a function
This will simplify things when we add rx
and support for different possible
tx and rx cross configurations.
Signed-off-by: Ilya Lesokhin <il...@mellanox.com>
---
include/net/tls.h | 2
copy_skb_header is renamed to skb_copy_header and
exported. Exposing this function give more flexibility
in copying SKBs.
skb_copy and skb_copy_expand do not give enough control
over which parts are copied.
Signed-off-by: Ilya Lesokhin <il...@mellanox.com>
---
include/linux/skbuff.h | 1
Avoid copying crypto_info again after cipher_type check
to avoid a TOCTOU exploits.
The temporary array on the stack is removed as we don't really need it
Fixes: 3c4d7559159b ('tls: kernel TLS support')
Signed-off-by: Ilya Lesokhin <il...@mellanox.com>
---
net/tls/tls_main.
If we fail to enable tls in the kernel we shouldn't override
the sk_write_space callback
Fixes: 3c4d7559159b ('tls: kernel TLS support')
Signed-off-by: Ilya Lesokhin <il...@mellanox.com>
---
net/tls/tls_main.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/n
he context reconstruction request.
Signed-off-by: Boris Pismenny <bor...@mellanox.com>
Signed-off-by: Ilya Lesokhin <il...@mellanox.com>
Signed-off-by: Aviad Yehezkel <avia...@mellanox.com>
---
include/net/tls.h | 55 +++-
net/tls/Kconfig | 9 +
net/tls
This patch adds a netdev feature to configure TLS TX offloads.
Signed-off-by: Boris Pismenny <bor...@mellanox.com>
Signed-off-by: Ilya Lesokhin <il...@mellanox.com>
Signed-off-by: Aviad Yehezkel <avia...@mellanox.com>
---
include/linux/netdev_features.h | 2 ++
Add new netdev ops to add and delete tls context
Signed-off-by: Boris Pismenny <bor...@mellanox.com>
Signed-off-by: Ilya Lesokhin <il...@mellanox.com>
Signed-off-by: Aviad Yehezkel <avia...@mellanox.com>
---
include/linux/netdevice.h | 21 +
1 file chan
Use kzalloc for aead_request allocation as
we don't set all the bits in the request.
Fixes: 3c4d7559159b ('tls: kernel TLS support')
Signed-off-by: Ilya Lesokhin <il...@mellanox.com>
---
net/tls/tls_sw.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/tls/tls_sw.c
com>
Signed-off-by: Ilya Lesokhin <il...@mellanox.com>
Signed-off-by: Aviad Yehezkel <avia...@mellanox.com>
---
include/net/inet_connection_sock.h | 2 ++
net/ipv4/tcp_input.c | 3 +++
2 files changed, 5 insertions(+)
diff --git a/include/net/inet_connection_soc
Hi,
I've tried using the aesni generic gcm(aes) aead to implement TLS SW fallback
and
I'm getting
[ 3356.839506] BUG: sleeping function called from invalid context at
./include/crypto/algapi.h:417
The warning is coming from a ___might_sleep() macro that is called if
CRYPTO_TFM_REQ_MAY_SLEEP
On Tuesday, October 31, 2017 11:14 AM Steffen Klassert wrote:
> I think Ilya talks about the case where the TLS crypto is intended to be
> offloaded
> to a NIC. In this case we need a software crypto fallback e.g. if a packet got
> rerouted to a device that does not support crypto offloading.
On Tuesday, October 31, 2017 9:33 AM, Herbert Xu wrote:
> You are right. generic-gcm-aesni is completely broken.
>
> It needs to be rewritten to use a wrapper as is done with rfc4106.
I think we should consider having a synchronous implementation that falls back
to integer implementation when
On Tuesday, October 31, 2017 9:17 AM, Herbert Xu wrote:
>
> Users of the crypto API shouldn't need to check irq_fpu_usable().
> The crypto API should work regardless of what context you're in.
>
I agree, I'm just saying that as far as I can tell that's not true
for the aesni generic gcm(aes)
On Tuesday, October 31, 2017 9:45 AM, Herbert Xu wrote:
>
> For your intended use case I think async processing should work just fine as
> it
> does for IPsec.
>
I haven't dived into the async IPSEC fallback code yet, but it seems
complicated.
I'm not sure it make the correct
On Mon Tuesday, October 31, 2017 6:10 AM, Herbert Xu wrote:
>
> Are you allocating the tfm from atomic context? That is not allowed.
>
> Normally you would allocate the tfm in process context, e.g., when the
> connection is setup.
>
I call crypto_alloc_aead("gcm(aes)", 0, flags) in process
>
> > Dave, would you prefer to get the driver patches that use this infra
> > before the infra?
>
> The arguments you present are silly.
>
> In order to analyze any proposed API, the users of it must be presented for
> the
> reviewers to see as well.
>
> Logically, you must have tried to
attached to it.
We restrict the TLS ulp to sockets in ESTABLISHED state
to prevent the scenario above.
Fixes: 3c4d755 ('tls: kernel TLS support')
Reported-by: syzbot+904e7cd6c5c741609...@syzkaller.appspotmail.com
Signed-off-by: Ilya Lesokhin <il...@mellanox.com>
---
net/tls/tls_main.c | 9 ++
I'm sorry, I've noticed that I have a typo in my comment.
It should read:
/*The TLS ulp is currently supported only for TCP sockets
* in ESTABLISHED state.
* Supporting sockets in LISTEN state will require us
* to modify the accept implementation to clone rather then
* share the ulp context.
attached to it.
We restrict the TLS ulp to sockets in ESTABLISHED state
to prevent the scenario above.
Fixes: 3c4d7559159b ("tls: kernel TLS support")
Reported-by: syzbot+904e7cd6c5c741609...@syzkaller.appspotmail.com
Signed-off-by: Ilya Lesokhin <il...@mellanox.com>
---
v2: Fix
Avoid SKB coalescing if eor bit is set in one of the relevant
SKBs.
Fixes: c134ecb87817 ("tcp: Make use of MSG_EOR in tcp_sendmsg")
Signed-off-by: Ilya Lesokhin <il...@mellanox.com>
---
net/ipv4/tcp_output.c | 11 +++
1 file changed, 11 insertions(+)
diff --git a/net/ipv
Avoid SKB coalescing if eor bit is set in one of the relevant
SKBs.
Change-Id: I64d4f9874f2e23b3fd03daddccbefed53e098028
Fixes: c134ecb87817 ("tcp: Make use of MSG_EOR in tcp_sendmsg")
Signed-off-by: Ilya Lesokhin <il...@mellanox.com>
---
net/ipv4/tcp_output.c | 25
Avoid SKB coalescing if eor bit is set in one of the relevant
SKBs.
Fixes: c134ecb87817 ("tcp: Make use of MSG_EOR in tcp_sendmsg")
Signed-off-by: Ilya Lesokhin <il...@mellanox.com>
---
Changes from v4:
- Remove Gerrit Change-Id
Changes from v3:
- Fix coding style
Avoid SKB coalescing if eor bit is set in one of the relevant
SKBs.
Fixes: c134ecb87817 ("tcp: Make use of MSG_EOR in tcp_sendmsg")
Signed-off-by: Ilya Lesokhin <il...@mellanox.com>
---
net/ipv4/tcp_output.c | 12
1 file changed, 12 insertions(+)
diff --git a/net/i
Avoid SKB coalescing if eor bit is set in one of the relevant
SKBs.
Fixes: c134ecb87817 ("tcp: Make use of MSG_EOR in tcp_sendmsg")
Signed-off-by: Ilya Lesokhin <il...@mellanox.com>
---
net/ipv4/tcp_output.c | 26 ++
1 file changed, 26 insertions(+)
diff
72 matches
Mail list logo