| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 14 Jan 2021 20:01:27 +0200
From: Tariq Toukan <tariqt@...dia.com>
To: "David S. Miller" <davem@...emloft.net>,
Jakub Kicinski <kuba@...nel.org>
Cc: Boris Pismenny <borisp@...dia.com>, netdev@...r.kernel.org,
Tariq Toukan <ttoukan.linux@...il.com>,
Moshe Shemesh <moshe@...dia.com>,
Jay Vosburgh <j.vosburgh@...il.com>,
Veaceslav Falico <vfalico@...il.com>,
Andy Gospodarek <andy@...yhouse.net>,
John Fastabend <john.fastabend@...il.com>,
Daniel Borkmann <daniel@...earbox.net>,
Jarod Wilson <jarod@...hat.com>,
Ivan Vecera <ivecera@...hat.com>,
Tariq Toukan <tariqt@...dia.com>
Subject: [PATCH net-next V2 0/8] TLS device offload for Bond
Hi,
This series opens TX and RX TLS device offload for bond interfaces.
This allows bond interfaces to benefit from capable slave devices.
We add a new ndo_sk_get_slave() to be used to get the slave that corresponds
to a given socket.
The TLS module uses it to interact directly with the lowest device in
chain, and invoke the control operations in tlsdev_ops. This means that the
bond interface doesn't have his own struct tlsdev_ops instance and
derived logic/callbacks.
To keep simple track of the HW and SW TLS contexts, we bind each socket to
a specific slave for the socket's whole lifetime. This is logically valid
(and similar to the SW kTLS behavior) in the following bond configuration,
so we restrict the offload support to it:
((mode == balance-xor) or (mode == 802.3ad))
and xmit_hash_policy == layer3+4.
In this design, TLS TX/RX offload feature flags of the bond device are
independent from the slaves. They reflect the current features state, but
are not directly controllable.
This is because the bond driver is bypassed by the call to ndo_sk_get_slave(),
without him knowing who the caller is.
The bond TLS feature flags are set/cleared only according to the configuration
of the mode and xmit_hash_policy.
Bypass is true only for the control flow. Packets in fast path still go through
the bond logic.
The design here differs from the xfrm/ipsec offload, where the bond driver
has his own copy of struct xfrmdev_ops and callbacks.
Regards,
Tariq
V2:
- Declare RX support.
- Enhance the feature flags logic.
- Slight modifications for bond_set_xfrm_features().
-
RFC:
- New design for the tlsdev_ops calls, introduce and use ndo_sk_get_slave()
to interact directly with the slave netdev.
- Remove bond copy of tlsdev_ops callbacks.
- In TLS module: Use netdev_sk_get_lowest_dev(), give exceptions to some checks
to allow bond support.
Tariq Toukan (8):
net: netdevice: Add operation ndo_sk_get_slave
net/bonding: Take IP hash logic into a helper
net/bonding: Implement ndo_sk_get_slave
net/bonding: Take update_features call out of XFRM funciton
net/bonding: Implement TLS TX device offload
net/bonding: Declare TLS RX device offload support
net/tls: Device offload to use lowest netdevice in chain
net/tls: Except bond interface from some TLS checks
drivers/net/bonding/bond_main.c | 139 +++++++++++++++++++++++++++--
drivers/net/bonding/bond_options.c | 42 +++++++--
include/linux/netdevice.h | 4 +
include/net/bonding.h | 4 +
net/core/dev.c | 32 +++++++
net/tls/tls_device.c | 4 +-
net/tls/tls_device_fallback.c | 2 +-
7 files changed, 211 insertions(+), 16 deletions(-)
--
2.21.0
Powered by blists - more mailing lists