1. 01 May, 2018 10 commits
    • Ilya Lesokhin's avatar
      net/mlx5: Accel, Add TLS tx offload interface · 1ae17322
      Ilya Lesokhin authored
      Add routines for manipulating TLS TX offload contexts.
      
      In Innova TLS, TLS contexts are added or deleted
      via a command message over the SBU connection.
      The HW then sends a response message over the same connection.
      
      Add implementation for Innova TLS (FPGA-based) hardware.
      
      These routines will be used by the TLS offload support in a later patch
      
      mlx5/accel is a middle acceleration layer to allow mlx5e and other ULPs
      to work directly with mlx5_core rather than Innova FPGA or other mlx5
      acceleration providers.
      
      In the future, when IPSec/TLS or any other acceleration gets integrated
      into ConnectX chip, mlx5/accel layer will provide the integrated
      acceleration, rather than the Innova one.
      Signed-off-by: default avatarIlya Lesokhin <ilyal@mellanox.com>
      Signed-off-by: default avatarBoris Pismenny <borisp@mellanox.com>
      Acked-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1ae17322
    • Ilya Lesokhin's avatar
      net/mlx5e: Move defines out of ipsec code · bb909416
      Ilya Lesokhin authored
      The defines are not IPSEC specific.
      Signed-off-by: default avatarIlya Lesokhin <ilyal@mellanox.com>
      Signed-off-by: default avatarBoris Pismenny <borisp@mellanox.com>
      Acked-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      bb909416
    • Ilya Lesokhin's avatar
      net/tls: Add generic NIC offload infrastructure · e8f69799
      Ilya Lesokhin authored
      This patch adds a generic infrastructure to offload TLS crypto to a
      network device. It enables the kernel TLS socket to skip encryption
      and authentication operations on the transmit side of the data path.
      Leaving those computationally expensive operations to the NIC.
      
      The NIC offload infrastructure builds TLS records and pushes them to
      the TCP layer just like the SW KTLS implementation and using the same
      API.
      TCP segmentation is mostly unaffected. Currently the only exception is
      that we prevent mixed SKBs where only part of the payload requires
      offload. In the future we are likely to add a similar restriction
      following a change cipher spec record.
      
      The notable differences between SW KTLS and NIC offloaded TLS
      implementations are as follows:
      1. The offloaded implementation builds "plaintext TLS record", those
      records contain plaintext instead of ciphertext and place holder bytes
      instead of authentication tags.
      2. The offloaded implementation maintains a mapping from TCP sequence
      number to TLS records. Thus given a TCP SKB sent from a NIC offloaded
      TLS socket, we can use the tls NIC offload infrastructure to obtain
      enough context to encrypt the payload of the SKB.
      A TLS record is released when the last byte of the record is ack'ed,
      this is done through the new icsk_clean_acked callback.
      
      The infrastructure should be extendable to support various NIC offload
      implementations.  However it is currently written with the
      implementation below in mind:
      The NIC assumes that packets from each offloaded stream are sent as
      plaintext and in-order. It keeps track of the TLS records in the TCP
      stream. When a packet marked for offload is transmitted, the NIC
      encrypts the payload in-place and puts authentication tags in the
      relevant place holders.
      
      The responsibility for handling out-of-order packets (i.e. TCP
      retransmission, qdisc drops) falls on the netdev driver.
      
      The netdev driver keeps track of the expected TCP SN from the NIC's
      perspective.  If the next packet to transmit matches the expected TCP
      SN, the driver advances the expected TCP SN, and transmits the packet
      with TLS offload indication.
      
      If the next packet to transmit does not match the expected TCP SN. The
      driver calls the TLS layer to obtain the TLS record that includes the
      TCP of the packet for transmission. Using this TLS record, the driver
      posts a work entry on the transmit queue to reconstruct the NIC TLS
      state required for the offload of the out-of-order packet. It updates
      the expected TCP SN accordingly and transmits the now in-order packet.
      The same queue is used for packet transmission and TLS context
      reconstruction to avoid the need for flushing the transmit queue before
      issuing the context reconstruction request.
      Signed-off-by: default avatarIlya Lesokhin <ilyal@mellanox.com>
      Signed-off-by: default avatarBoris Pismenny <borisp@mellanox.com>
      Signed-off-by: default avatarAviad Yehezkel <aviadye@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e8f69799
    • Boris Pismenny's avatar
      net/tls: Split conf to rx + tx · f66de3ee
      Boris Pismenny authored
      In TLS inline crypto, we can have one direction in software
      and another in hardware. Thus, we split the TLS configuration to separate
      structures for receive and transmit.
      Signed-off-by: default avatarBoris Pismenny <borisp@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f66de3ee
    • Ilya Lesokhin's avatar
      net: Add TLS TX offload features · 2342a851
      Ilya Lesokhin authored
      This patch adds a netdev feature to configure TLS TX offloads.
      Signed-off-by: default avatarIlya Lesokhin <ilyal@mellanox.com>
      Signed-off-by: default avatarBoris Pismenny <borisp@mellanox.com>
      Signed-off-by: default avatarAviad Yehezkel <aviadye@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2342a851
    • Ilya Lesokhin's avatar
      net: Add TLS offload netdev ops · a5c37c63
      Ilya Lesokhin authored
      Add new netdev ops to add and delete tls context
      Signed-off-by: default avatarIlya Lesokhin <ilyal@mellanox.com>
      Signed-off-by: default avatarBoris Pismenny <borisp@mellanox.com>
      Signed-off-by: default avatarAviad Yehezkel <aviadye@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a5c37c63
    • Ilya Lesokhin's avatar
      net: Add Software fallback infrastructure for socket dependent offloads · ebf4e808
      Ilya Lesokhin authored
      With socket dependent offloads we rely on the netdev to transform
      the transmitted packets before sending them to the wire.
      When a packet from an offloaded socket is rerouted to a different
      device we need to detect it and do the transformation in software.
      Signed-off-by: default avatarIlya Lesokhin <ilyal@mellanox.com>
      Signed-off-by: default avatarBoris Pismenny <borisp@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ebf4e808
    • Ilya Lesokhin's avatar
      net: Rename and export copy_skb_header · 08303c18
      Ilya Lesokhin authored
      copy_skb_header is renamed to skb_copy_header and
      exported. Exposing this function give more flexibility
      in copying SKBs.
      skb_copy and skb_copy_expand do not give enough control
      over which parts are copied.
      Signed-off-by: default avatarIlya Lesokhin <ilyal@mellanox.com>
      Signed-off-by: default avatarBoris Pismenny <borisp@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      08303c18
    • Ilya Lesokhin's avatar
      tcp: Add clean acked data hook · 6dac1523
      Ilya Lesokhin authored
      Called when a TCP segment is acknowledged.
      Could be used by application protocols who hold additional
      metadata associated with the stream data.
      
      This is required by TLS device offload to release
      metadata associated with acknowledged TLS records.
      Signed-off-by: default avatarIlya Lesokhin <ilyal@mellanox.com>
      Signed-off-by: default avatarBoris Pismenny <borisp@mellanox.com>
      Signed-off-by: default avatarAviad Yehezkel <aviadye@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6dac1523
    • David S. Miller's avatar
      Merge branch '40GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/jkirsher/next-queue · 1a1f4a28
      David S. Miller authored
      Jeff Kirsher says:
      
      ====================
      40GbE Intel Wired LAN Driver Updates 2018-04-30
      
      This series contains updates to i40e and i40evf only.
      
      Jia-Ju Bai replaces an instance of GFP_ATOMIC to GFP_KERNEL, since
      i40evf is not in atomic context when i40evf_add_vlan() is called.
      
      Jake cleans up function header comments to ensure that the function
      parameter comments actually match the function parameters.  Fixed a
      possible overflow error in the PTP clock code.  Fixed warnings regarding
      restricted __be32 type usage.
      
      Mariusz fixes the reading of the LLDP configuration, which moves from
      using relative values to calculating the absolute address.
      
      Jakub adds a check for 10G LR mode for i40e.
      
      Paweł fixes an issue, where changing the MTU would turn on TSO, GSO and
      GRO.
      
      Alex fixes a couple of issues with the UDP tunnel filter configuration.
      First being that the tunnels did not have mutual exclusion in place to
      prevent a race condition between a user request to add/remove a port and
      an update.  The second issue was we were deleting filters that were not
      associated with the actual filter we wanted to delete.
      
      Harshitha ensures that the queue map sent by the VF is taken into
      account when enabling/disabling queues in the VF VSI.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1a1f4a28
  2. 30 Apr, 2018 30 commits