| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20251231192322.3791912-2-rjethwani@purestorage.com>
Date: Wed, 31 Dec 2025 12:23:21 -0700
From: Rishikesh Jethwani <rjethwani@...estorage.com>
To: netdev@...r.kernel.org
Cc: saeedm@...dia.com,
tariqt@...dia.com,
mbloch@...dia.com,
borisp@...dia.com,
john.fastabend@...il.com,
kuba@...nel.org,
sd@...asysnail.net,
davem@...emloft.net,
Rishikesh Jethwani <rjethwani@...estorage.com>
Subject: [PATCH v2 1/2] tls: TLS 1.3 hardware offload support
Add TLS 1.3 support to the kernel TLS hardware offload infrastructure,
enabling hardware acceleration for TLS 1.3 connections on capable NICs.
This patch implements the critical differences between TLS 1.2 and TLS 1.3
record formats for hardware offload:
TLS 1.2 record structure:
[Header (5)] + [Explicit IV (8)] + [Ciphertext] + [Tag (16)]
TLS 1.3 record structure:
[Header (5)] + [Ciphertext + ContentType (1)] + [Tag (16)]
Key changes:
1. Content type handling: In TLS 1.3, the content type byte is appended
to the plaintext before encryption and tag computation. This byte must
be encrypted along with the ciphertext to compute the correct
authentication tag. Modified tls_device_record_close() to append
the content type before the tag for TLS 1.3 records.
2. Version validation: Both tls_set_device_offload() and
tls_set_device_offload_rx() now accept TLS_1_3_VERSION in addition
to TLS_1_2_VERSION.
3. Pre-populate dummy_page with valid record types for memory
allocation failure fallback path.
Note: TLS 1.3 protocol parameters (aad_size, tail_size, prepend_size)
are already handled by init_prot_info() in tls_sw.c.
Testing:
Verified on Broadcom BCM957608 (Thor 2) and Mellanox ConnectX-6 Dx
(Crypto Enabled) using ktls_test. Both TX and RX hardware offload working
successfully with TLS 1.3 AES-GCM-128 and AES-GCM-256 cipher suites.
Signed-off-by: Rishikesh Jethwani <rjethwani@...estorage.com>
---
net/tls/tls_device.c | 49 ++++++++++++++++++++++++++++++++++++++++----
1 file changed, 45 insertions(+), 4 deletions(-)
diff --git a/net/tls/tls_device.c b/net/tls/tls_device.c
index 82ea407e520a..f57e96862b1c 100644
--- a/net/tls/tls_device.c
+++ b/net/tls/tls_device.c
@@ -319,6 +319,36 @@ static void tls_device_record_close(struct sock *sk,
struct tls_prot_info *prot = &ctx->prot_info;
struct page_frag dummy_tag_frag;
+ /* TLS 1.3: append content type byte before tag.
+ * Record structure: [Header (5)] + [Ciphertext + ContentType (1)] + [Tag (16)]
+ * The content type is encrypted with the ciphertext for authentication.
+ */
+ if (prot->version == TLS_1_3_VERSION) {
+ struct page_frag dummy_content_type_frag;
+ struct page_frag *content_type_pfrag = pfrag;
+
+ /* Validate record type range */
+ if (unlikely(record_type < TLS_RECORD_TYPE_CHANGE_CIPHER_SPEC ||
+ record_type > TLS_RECORD_TYPE_ACK)) {
+ pr_err_once("tls_device: invalid record type %u\n",
+ record_type);
+ return;
+ }
+
+ if (unlikely(pfrag->size - pfrag->offset < prot->tail_size) &&
+ !skb_page_frag_refill(prot->tail_size, pfrag, sk->sk_allocation)) {
+ /* Out of memory: use pre-populated dummy_page */
+ dummy_content_type_frag.page = dummy_page;
+ dummy_content_type_frag.offset = record_type;
+ content_type_pfrag = &dummy_content_type_frag;
+ } else {
+ /* Current pfrag has space or allocation succeeded - write content type */
+ *(unsigned char *)(page_address(pfrag->page) + pfrag->offset) =
+ record_type;
+ }
+ tls_append_frag(record, content_type_pfrag, prot->tail_size);
+ }
+
/* append tag
* device will fill in the tag, we just need to append a placeholder
* use socket memory to improve coalescing (re-using a single buffer
@@ -335,7 +365,7 @@ static void tls_device_record_close(struct sock *sk,
/* fill prepend */
tls_fill_prepend(ctx, skb_frag_address(&record->frags[0]),
- record->len - prot->overhead_size,
+ (record->len - prot->overhead_size) + prot->tail_size,
record_type);
}
@@ -1089,7 +1119,8 @@ int tls_set_device_offload(struct sock *sk)
}
crypto_info = &ctx->crypto_send.info;
- if (crypto_info->version != TLS_1_2_VERSION) {
+ if (crypto_info->version != TLS_1_2_VERSION &&
+ crypto_info->version != TLS_1_3_VERSION) {
rc = -EOPNOTSUPP;
goto release_netdev;
}
@@ -1196,7 +1227,8 @@ int tls_set_device_offload_rx(struct sock *sk, struct tls_context *ctx)
struct net_device *netdev;
int rc = 0;
- if (ctx->crypto_recv.info.version != TLS_1_2_VERSION)
+ if (ctx->crypto_recv.info.version != TLS_1_2_VERSION &&
+ ctx->crypto_recv.info.version != TLS_1_3_VERSION)
return -EOPNOTSUPP;
netdev = get_netdev_for_sock(sk);
@@ -1409,12 +1441,21 @@ static struct notifier_block tls_dev_notifier = {
int __init tls_device_init(void)
{
- int err;
+ unsigned char *page_addr;
+ int err, i;
dummy_page = alloc_page(GFP_KERNEL);
if (!dummy_page)
return -ENOMEM;
+ /* Pre-populate dummy_page with all valid TLS record types
+ * at their corresponding offsets for TLS 1.3 content type
+ * fallback path
+ */
+ page_addr = page_address(dummy_page);
+ for (i = TLS_RECORD_TYPE_CHANGE_CIPHER_SPEC; i <= TLS_RECORD_TYPE_ACK; i++)
+ page_addr[i] = (unsigned char)i;
+
destruct_wq = alloc_workqueue("ktls_device_destruct", WQ_PERCPU, 0);
if (!destruct_wq) {
err = -ENOMEM;
--
2.25.1
Powered by blists - more mailing lists