| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20260121215727.3994324-1-rjethwani@purestorage.com>
Date: Wed, 21 Jan 2026 14:57:24 -0700
From: Rishikesh Jethwani <rjethwani@...estorage.com>
To: netdev@...r.kernel.org
Cc: saeedm@...dia.com,
tariqt@...dia.com,
mbloch@...dia.com,
borisp@...dia.com,
john.fastabend@...il.com,
kuba@...nel.org,
sd@...asysnail.net,
davem@...emloft.net,
pabeni@...hat.com,
edumazet@...gle.com,
leon@...nel.org,
Rishikesh Jethwani <rjethwani@...estorage.com>
Subject: [PATCH v4 0/3] tls: Add TLS 1.3 hardware offload support
Hi all,
This patch series adds TLS 1.3 support to the kernel TLS hardware offload
infrastructure, enabling hardware acceleration for TLS 1.3 connections
including KeyUpdate (rekey) support.
Background
==========
Currently, the kernel TLS device offload only supports TLS 1.2. With
TLS 1.3 being the current standard and widely deployed, there is a
growing need to extend hardware offload support to TLS 1.3 connections.
TLS 1.3 differs from TLS 1.2 in its record format:
TLS 1.2: [Header (5)] + [Explicit IV (8)] + [Ciphertext] + [Tag (16)]
TLS 1.3: [Header (5)] + [Ciphertext + ContentType (1)] + [Tag (16)]
The key difference is that TLS 1.3 eliminates the explicit IV and
instead appends the content type byte to the plaintext before
encryption. This content type byte must be encrypted along with the
payload for proper authentication tag computation per RFC 8446.
Patch 1: TLS 1.3 hardware offload support
=========================================
Changes to tls_device.c, tls_device_fallback.c, and tls_main.c:
- Extended version validation to accept TLS_1_3_VERSION in both
tls_set_device_offload() and tls_set_device_offload_rx()
- Modified tls_device_record_close() to append the content type
byte before the authentication tag for TLS 1.3 records
- Modified tls_device_reencrypt() to use prot->prepend_size and
prot->tag_size instead of hardcoded TLS 1.2 values
- Pre-populated dummy_page with all 256 byte values for memory
allocation failure fallback path
- Updated tls_device_fallback.c to handle TLS 1.3 IV construction
(XOR with sequence number) and version-specific AAD sizes
- Rekey handling: HW offload key update (rekey) is not yet supported.
Patch 2: Hardware offload key update support
============================================
Changes to include/net/tls.h, net/tls/tls.h, tls_device.c, tls_main.c,
and tls_sw.c:
- Extended tls_set_device_offload() and tls_set_device_offload_rx()
with new_crypto_info parameter for key updates
- During rekey, the old HW context is deleted (tls_dev_del) and a new
one is added (tls_dev_add) with the updated key material
- Graceful degradation: if HW key update fails, the connection
gracefully degrades to software:
* TX: TLS_TX_DEV_CLOSED is set and sk_validate_xmit_skb switches to
tls_validate_xmit_skb_sw for software encryption
* RX: TLS_RX_DEV_DEGRADED and TLS_RX_DEV_CLOSED are set for software
decryption
* In both cases, tx_conf/rx_conf remains TLS_HW
- Record sequence management: during TX rekey, old pending records are
deleted and unacked_record_sn is reset to the new rec_seq
- Split tls_set_sw_offload() into tls_sw_ctx_init() and
tls_sw_ctx_finalize() to allow the HW offload RX path to
initialize SW context first, attempt HW setup, then
finalize (memzero new_crypto_info, call tls_finish_key_update)
- Added TLS_TX_DEV_CLOSED flag to track TX hardware context state,
to avoid double tls_dev_del call, symmetric with existing
TLS_RX_DEV_CLOSED.
Patch 3: mlx5 driver enablement
===============================
- TLS 1.3 version detection and validation with proper capability checking
- TLS 1.3 crypto context configuration using MLX5E_STATIC_PARAMS_CONTEXT_TLS_1_3
- Correct IV handling for TLS 1.3 (12-byte IV vs TLS 1.2's 4-byte salt)
- Hardware offload for both TLS 1.3 AES-GCM-128 and AES-GCM-256
Testing
=======
Tested on Mellanox ConnectX-6 Dx (Crypto Enabled).
Both TX and RX hardware offload verified working with:
- TLS 1.3 AES-GCM-128
- TLS 1.3 AES-GCM-256
- Multiple KeyUpdate cycles (rekey)
Test methodology: ktls_test : https://github.com/insanum/ktls_test/tree/master
Please review and provide feedback.
Thanks,
Rishikesh
v4:
- Split single TLS patch into two separate patches:
* Patch 1: TLS 1.3 basic HW offload support
* Patch 2: HW offload key update (rekey) support with graceful degradation
- Removed record_type check from tls_device_record_close()
- Removed Broadcom bnxt_en out-of-tree driver mention
- Link to v3: https://lore.kernel.org/netdev/20260102184708.24618-1-rjethwani@purestorage.com/
v3:
- Added note about Broadcom bnxt_en out-of-tree driver used for testing
- Link to v2: https://lore.kernel.org/netdev/20251231192322.3791912-1-rjethwani@purestorage.com/
v2:
- Fixed reverse Christmas tree ordering in variable declarations
- Combined 'err' and 'i' declarations (reviewer feedback)
- Link to v1: https://lore.kernel.org/netdev/20251230224137.3600355-1-rjethwani@purestorage.com/
Rishikesh Jethwani (3):
tls: add TLS 1.3 hardware offload support
tls: add hardware offload key update support
mlx5: TLS 1.3 hardware offload support
.../mellanox/mlx5/core/en_accel/ktls.h | 8 +-
.../mellanox/mlx5/core/en_accel/ktls_txrx.c | 14 +-
include/net/tls.h | 4 +
net/tls/tls.h | 14 +-
net/tls/tls_device.c | 319 +++++++++++++-----
net/tls/tls_device_fallback.c | 34 +-
net/tls/tls_main.c | 31 +-
net/tls/tls_sw.c | 77 +++--
8 files changed, 379 insertions(+), 122 deletions(-)
--
2.25.1
Powered by blists - more mailing lists