| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250625135210.2975231-1-daniel.zahka@gmail.com>
Date: Wed, 25 Jun 2025 06:51:50 -0700
From: Daniel Zahka <daniel.zahka@...il.com>
To: Donald Hunter <donald.hunter@...il.com>,
Jakub Kicinski <kuba@...nel.org>,
"David S. Miller" <davem@...emloft.net>,
Eric Dumazet <edumazet@...gle.com>,
Paolo Abeni <pabeni@...hat.com>,
Simon Horman <horms@...nel.org>,
Jonathan Corbet <corbet@....net>,
Andrew Lunn <andrew+netdev@...n.ch>
Cc: Saeed Mahameed <saeedm@...dia.com>,
Leon Romanovsky <leon@...nel.org>,
Tariq Toukan <tariqt@...dia.com>,
Boris Pismenny <borisp@...dia.com>,
Kuniyuki Iwashima <kuniyu@...gle.com>,
Willem de Bruijn <willemb@...gle.com>,
David Ahern <dsahern@...nel.org>,
Neal Cardwell <ncardwell@...gle.com>,
Patrisious Haddad <phaddad@...dia.com>,
Raed Salem <raeds@...dia.com>,
Jianbo Liu <jianbol@...dia.com>,
Dragos Tatulea <dtatulea@...dia.com>,
Rahul Rameshbabu <rrameshbabu@...dia.com>,
Stanislav Fomichev <sdf@...ichev.me>,
Toke Høiland-Jørgensen <toke@...hat.com>,
Alexander Lobakin <aleksander.lobakin@...el.com>,
Jacob Keller <jacob.e.keller@...el.com>,
netdev@...r.kernel.org
Subject: [PATCH v2 00/17] add basic PSP encryption for TCP connections
This is v2 of the PSP RFC [1] posted by Jakub Kicinski one year
ago. See the changelogs of inidividual patches for problems that were
addressed from v1. Other developments since v1 include a fork of
packetdrill [2] with support for PSP added, as well as some test
cases, and an implementation of PSP key exchange and connection
upgrade [3] integrated into the fbthrift RPC library. Both [2] and [3]
have been tested on server platforms with PSP-capable CX7 NICs. Below
is the cover letter from the original RFC:
Add support for PSP encryption of TCP connections.
PSP is a protocol out of Google:
https://github.com/google/psp/blob/main/doc/PSP_Arch_Spec.pdf
which shares some similarities with IPsec. I added some more info
in the first patch so I'll keep it short here.
The protocol can work in multiple modes including tunneling.
But I'm mostly interested in using it as TLS replacement because
of its superior offload characteristics. So this patch does three
things:
- it adds "core" PSP code
PSP is offload-centric, and requires some additional care and
feeding, so first chunk of the code exposes device info.
This part can be reused by PSP implementations in xfrm, tunneling etc.
- TCP integration TLS style
Reuse some of the existing concepts from TLS offload, such as
attaching crypto state to a socket, marking skbs as "decrypted",
egress validation. PSP does not prescribe key exchange protocols.
To use PSP as a more efficient TLS offload we intend to perform
a TLS handshake ("inline" in the same TCP connection) and negotiate
switching to PSP based on capabilities of both endpoints.
This is also why I'm not including a software implementation.
Nobody would use it in production, software TLS is faster,
it has larger crypto records.
- mlx5 implementation
That's mostly other people's work, not 100% sure those folks
consider it ready hence the RFC in the title. But it works :)
Not posted, queued a branch [4] are follow up pieces:
- standard stats
- netdevsim implementation and tests
[1] https://lore.kernel.org/netdev/20240510030435.120935-1-kuba@kernel.org/
[2] https://github.com/danieldzahka/packetdrill
[3] https://github.com/danieldzahka/fbthrift/tree/dzahka/psp
[4] https://github.com/kuba-moo/linux/tree/psp
Daniel Zahka (2):
net: move sk_validate_xmit_skb() to net/core/dev.c
net: tcp: allow tcp_timewait_sock to validate skbs before handing to
device
Jakub Kicinski (8):
psp: add documentation
psp: base PSP device support
net: modify core data structures for PSP datapath support
tcp: add datapath logic for PSP with inline key exchange
psp: add op for rotation of device key
net: psp: add socket security association code
net: psp: update the TCP MSS to reflect PSP packet overhead
psp: track generations of device key
Raed Salem (7):
net/mlx5e: Support PSP offload functionality
net/mlx5e: Implement PSP operations .assoc_add and .assoc_del
net/mlx5e: Implement PSP Tx data path
net/mlx5e: Add PSP steering in local NIC RX
net/mlx5e: Configure PSP Rx flow steering rules
net/mlx5e: Add Rx data path offload
net/mlx5e: Implement PSP key_rotate operation
Documentation/netlink/specs/psp.yaml | 188 +++++
Documentation/networking/index.rst | 1 +
Documentation/networking/psp.rst | 180 +++++
.../net/ethernet/mellanox/mlx5/core/Kconfig | 11 +
.../net/ethernet/mellanox/mlx5/core/Makefile | 5 +-
drivers/net/ethernet/mellanox/mlx5/core/en.h | 7 +-
.../net/ethernet/mellanox/mlx5/core/en/fs.h | 2 +-
.../ethernet/mellanox/mlx5/core/en/params.c | 4 +-
.../mellanox/mlx5/core/en_accel/en_accel.h | 50 +-
.../mellanox/mlx5/core/en_accel/ipsec_rxtx.h | 2 +-
.../mellanox/mlx5/core/en_accel/psp.c | 209 +++++
.../mellanox/mlx5/core/en_accel/psp.h | 55 ++
.../mellanox/mlx5/core/en_accel/psp_fs.c | 736 ++++++++++++++++++
.../mellanox/mlx5/core/en_accel/psp_fs.h | 30 +
.../mellanox/mlx5/core/en_accel/psp_offload.c | 52 ++
.../mellanox/mlx5/core/en_accel/psp_rxtx.c | 306 ++++++++
.../mellanox/mlx5/core/en_accel/psp_rxtx.h | 125 +++
.../net/ethernet/mellanox/mlx5/core/en_main.c | 9 +
.../net/ethernet/mellanox/mlx5/core/en_rx.c | 50 +-
.../net/ethernet/mellanox/mlx5/core/en_tx.c | 10 +-
drivers/net/ethernet/mellanox/mlx5/core/fw.c | 6 +
.../ethernet/mellanox/mlx5/core/lib/crypto.h | 1 +
.../mellanox/mlx5/core/lib/psp_defs.h | 28 +
.../net/ethernet/mellanox/mlx5/core/main.c | 5 +
drivers/net/ethernet/mellanox/mlx5/core/psp.c | 24 +
drivers/net/ethernet/mellanox/mlx5/core/psp.h | 15 +
include/linux/mlx5/device.h | 4 +
include/linux/mlx5/driver.h | 2 +
include/linux/mlx5/mlx5_ifc.h | 94 ++-
include/linux/netdevice.h | 4 +
include/linux/skbuff.h | 3 +
include/net/dropreason-core.h | 6 +
include/net/inet_timewait_sock.h | 8 +
include/net/psp.h | 12 +
include/net/psp/functions.h | 190 +++++
include/net/psp/types.h | 185 +++++
include/net/sock.h | 26 +-
include/uapi/linux/psp.h | 66 ++
net/Kconfig | 1 +
net/Makefile | 1 +
net/core/dev.c | 32 +
net/core/gro.c | 2 +
net/core/skbuff.c | 4 +
net/ipv4/af_inet.c | 2 +
net/ipv4/inet_timewait_sock.c | 6 +-
net/ipv4/ip_output.c | 5 +-
net/ipv4/tcp.c | 2 +
net/ipv4/tcp_ipv4.c | 13 +-
net/ipv4/tcp_minisocks.c | 16 +
net/ipv4/tcp_output.c | 17 +-
net/ipv6/ipv6_sockglue.c | 6 +-
net/ipv6/tcp_ipv6.c | 17 +-
net/psp/Kconfig | 15 +
net/psp/Makefile | 5 +
net/psp/psp-nl-gen.c | 119 +++
net/psp/psp-nl-gen.h | 39 +
net/psp/psp.h | 54 ++
net/psp/psp_main.c | 148 ++++
net/psp/psp_nl.c | 517 ++++++++++++
net/psp/psp_sock.c | 308 ++++++++
tools/net/ynl/Makefile.deps | 1 +
61 files changed, 3979 insertions(+), 62 deletions(-)
create mode 100644 Documentation/netlink/specs/psp.yaml
create mode 100644 Documentation/networking/psp.rst
create mode 100644 drivers/net/ethernet/mellanox/mlx5/core/en_accel/psp.c
create mode 100644 drivers/net/ethernet/mellanox/mlx5/core/en_accel/psp.h
create mode 100644 drivers/net/ethernet/mellanox/mlx5/core/en_accel/psp_fs.c
create mode 100644 drivers/net/ethernet/mellanox/mlx5/core/en_accel/psp_fs.h
create mode 100644 drivers/net/ethernet/mellanox/mlx5/core/en_accel/psp_offload.c
create mode 100644 drivers/net/ethernet/mellanox/mlx5/core/en_accel/psp_rxtx.c
create mode 100644 drivers/net/ethernet/mellanox/mlx5/core/en_accel/psp_rxtx.h
create mode 100644 drivers/net/ethernet/mellanox/mlx5/core/lib/psp_defs.h
create mode 100644 drivers/net/ethernet/mellanox/mlx5/core/psp.c
create mode 100644 drivers/net/ethernet/mellanox/mlx5/core/psp.h
create mode 100644 include/net/psp.h
create mode 100644 include/net/psp/functions.h
create mode 100644 include/net/psp/types.h
create mode 100644 include/uapi/linux/psp.h
create mode 100644 net/psp/Kconfig
create mode 100644 net/psp/Makefile
create mode 100644 net/psp/psp-nl-gen.c
create mode 100644 net/psp/psp-nl-gen.h
create mode 100644 net/psp/psp.h
create mode 100644 net/psp/psp_main.c
create mode 100644 net/psp/psp_nl.c
create mode 100644 net/psp/psp_sock.c
--
2.47.1
Powered by blists - more mailing lists