lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <20210114180135.11556-1-tariqt@nvidia.com>
Date:   Thu, 14 Jan 2021 20:01:27 +0200
From:   Tariq Toukan <tariqt@...dia.com>
To:     "David S. Miller" <davem@...emloft.net>,
        Jakub Kicinski <kuba@...nel.org>
Cc:     Boris Pismenny <borisp@...dia.com>, netdev@...r.kernel.org,
        Tariq Toukan <ttoukan.linux@...il.com>,
        Moshe Shemesh <moshe@...dia.com>,
        Jay Vosburgh <j.vosburgh@...il.com>,
        Veaceslav Falico <vfalico@...il.com>,
        Andy Gospodarek <andy@...yhouse.net>,
        John Fastabend <john.fastabend@...il.com>,
        Daniel Borkmann <daniel@...earbox.net>,
        Jarod Wilson <jarod@...hat.com>,
        Ivan Vecera <ivecera@...hat.com>,
        Tariq Toukan <tariqt@...dia.com>
Subject: [PATCH net-next V2 0/8] TLS device offload for Bond

Hi,

This series opens TX and RX TLS device offload for bond interfaces.
This allows bond interfaces to benefit from capable slave devices.

We add a new ndo_sk_get_slave() to be used to get the slave that corresponds
to a given socket.
The TLS module uses it to interact directly with the lowest device in
chain, and invoke the control operations in tlsdev_ops. This means that the
bond interface doesn't have his own struct tlsdev_ops instance and
derived logic/callbacks.

To keep simple track of the HW and SW TLS contexts, we bind each socket to
a specific slave for the socket's whole lifetime. This is logically valid
(and similar to the SW kTLS behavior) in the following bond configuration, 
so we restrict the offload support to it:

((mode == balance-xor) or (mode == 802.3ad))
and xmit_hash_policy == layer3+4.

In this design, TLS TX/RX offload feature flags of the bond device are
independent from the slaves. They reflect the current features state, but
are not directly controllable.
This is because the bond driver is bypassed by the call to ndo_sk_get_slave(),
without him knowing who the caller is.
The bond TLS feature flags are set/cleared only according to the configuration
of the mode and xmit_hash_policy.

Bypass is true only for the control flow. Packets in fast path still go through
the bond logic.

The design here differs from the xfrm/ipsec offload, where the bond driver
has his own copy of struct xfrmdev_ops and callbacks.

Regards,
Tariq

V2:
- Declare RX support.
- Enhance the feature flags logic.
- Slight modifications for bond_set_xfrm_features().
- 

RFC:
- New design for the tlsdev_ops calls, introduce and use ndo_sk_get_slave()
  to interact directly with the slave netdev.
- Remove bond copy of tlsdev_ops callbacks.
- In TLS module: Use netdev_sk_get_lowest_dev(), give exceptions to some checks
  to allow bond support.


Tariq Toukan (8):
  net: netdevice: Add operation ndo_sk_get_slave
  net/bonding: Take IP hash logic into a helper
  net/bonding: Implement ndo_sk_get_slave
  net/bonding: Take update_features call out of XFRM funciton
  net/bonding: Implement TLS TX device offload
  net/bonding: Declare TLS RX device offload support
  net/tls: Device offload to use lowest netdevice in chain
  net/tls: Except bond interface from some TLS checks

 drivers/net/bonding/bond_main.c    | 139 +++++++++++++++++++++++++++--
 drivers/net/bonding/bond_options.c |  42 +++++++--
 include/linux/netdevice.h          |   4 +
 include/net/bonding.h              |   4 +
 net/core/dev.c                     |  32 +++++++
 net/tls/tls_device.c               |   4 +-
 net/tls/tls_device_fallback.c      |   2 +-
 7 files changed, 211 insertions(+), 16 deletions(-)

-- 
2.21.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ