lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 11 Nov 2020 14:25:53 +0200
From:   Tariq Toukan <ttoukan.linux@...il.com>
To:     Jakub Kicinski <kuba@...nel.org>
Cc:     "David S. Miller" <davem@...emloft.net>, netdev@...r.kernel.org,
        Saeed Mahameed <saeedm@...dia.com>,
        Moshe Shemesh <moshe@...dia.com>,
        Boris Pismenny <borisp@...dia.com>, tariqt@...dia.com
Subject: Re: [PATCH net V2] net: Disable NETIF_F_HW_TLS_TX when HW_CSUM is
 disabled



On 11/11/2020 1:44 AM, Jakub Kicinski wrote:
> On Sun,  8 Nov 2020 16:43:09 +0200 Tariq Toukan wrote:
>> @@ -528,3 +528,7 @@ Drivers should ignore the changes to TLS the device feature flags.
>>   These flags will be acted upon accordingly by the core ``ktls`` code.
>>   TLS device feature flags only control adding of new TLS connection
>>   offloads, old connections will remain active after flags are cleared.
>> +
>> +The TLS encryption cannot be offloaded to device if checksum calculation
>> +is not, hence the TLS TX device feature flag is cleared when HW_CSUM is
>> +disabled.
> 
> This makes it sound like the driver will fall back to software crypto
> if L4 csum offload gets disabled, is this your intention?
> 
> Seems at odds with the paragraph above it.
> 

Actually, TLS feature bit acts on new connections, while CSUM feature 
bit acts immediately, so for old connections we still have a gap.

I think of adding logic in netif_skb_features or tls_validate_xmit_skb, 
but it's not trivial.

I'll resubmit when i figure out a clean way that covers all cases and is 
consistent with TLS feature bit behavior.

Regards,
Tariq


>> diff --git a/net/core/dev.c b/net/core/dev.c
>> index 9499a414d67e..26c9b059cade 100644
>> --- a/net/core/dev.c
>> +++ b/net/core/dev.c
>> @@ -9584,6 +9584,11 @@ static netdev_features_t netdev_fix_features(struct net_device *dev,
>>   		}
>>   	}
>>   
>> +	if ((features & NETIF_F_HW_TLS_TX) && !(features & NETIF_F_HW_CSUM)) {
>> +		netdev_dbg(dev, "Dropping TLS TX HW offload feature since no CSUM feature.\n");
>> +		features &= ~NETIF_F_HW_TLS_TX;
>> +	}
>> +
>>   	return features;
>>   }
>>   
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ