git.kernel.dk Git - linux-2.6-block.git/commit

author	Boris Pismenny <borisp@mellanox.com>
	Fri, 13 Jul 2018 11:33:43 +0000 (14:33 +0300)
committer	David S. Miller <davem@davemloft.net>
	Mon, 16 Jul 2018 07:13:11 +0000 (00:13 -0700)
commit	4799ac81e52a72a6404827bf2738337bb581a174
tree	0d75fbecd761c35507d05122d9d26855c7e6c4de	tree \| snapshot
parent	b190a587c634a8559e4ceabeb0468e93db49789a	commit \| diff

tls: Add rx inline crypto offload

This patch completes the generic infrastructure to offload TLS crypto to a
network device. It enables the kernel to skip decryption and
authentication of some skbs marked as decrypted by the NIC. In the fast
path, all packets received are decrypted by the NIC and the performance
is comparable to plain TCP.

This infrastructure doesn't require a TCP offload engine. Instead, the
NIC only decrypts packets that contain the expected TCP sequence number.
Out-Of-Order TCP packets are provided unmodified. As a result, at the
worst case a received TLS record consists of both plaintext and ciphertext
packets. These partially decrypted records must be reencrypted,
only to be decrypted.

The notable differences between SW KTLS Rx and this offload are as
follows:
1. Partial decryption - Software must handle the case of a TLS record
that was only partially decrypted by HW. This can happen due to packet
reordering.
2. Resynchronization - tls_read_size calls the device driver to
resynchronize HW after HW lost track of TLS record framing in
the TCP stream.

Signed-off-by: Boris Pismenny <borisp@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

include/net/tls.h		diff \| blob \| blame \| history
net/tls/tls_device.c		diff \| blob \| blame \| history
net/tls/tls_device_fallback.c		diff \| blob \| blame \| history
net/tls/tls_main.c		diff \| blob \| blame \| history
net/tls/tls_sw.c		diff \| blob \| blame \| history