lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <58fe1908-48de-4bca-ad4e-4976d24581e6@gmail.com>
Date: Thu, 22 Jan 2026 13:30:18 +0200
From: Tariq Toukan <ttoukan.linux@...il.com>
To: Rishikesh Jethwani <rjethwani@...estorage.com>, netdev@...r.kernel.org
Cc: saeedm@...dia.com, tariqt@...dia.com, mbloch@...dia.com,
 borisp@...dia.com, john.fastabend@...il.com, kuba@...nel.org,
 sd@...asysnail.net, davem@...emloft.net, pabeni@...hat.com,
 edumazet@...gle.com, leon@...nel.org
Subject: Re: [PATCH v4 0/3] tls: Add TLS 1.3 hardware offload support



On 21/01/2026 23:57, Rishikesh Jethwani wrote:
> Hi all,
> 
> This patch series adds TLS 1.3 support to the kernel TLS hardware offload
> infrastructure, enabling hardware acceleration for TLS 1.3 connections
> including KeyUpdate (rekey) support.
> 
> Background
> ==========
> Currently, the kernel TLS device offload only supports TLS 1.2. With
> TLS 1.3 being the current standard and widely deployed, there is a
> growing need to extend hardware offload support to TLS 1.3 connections.
> 
> TLS 1.3 differs from TLS 1.2 in its record format:
> 
>    TLS 1.2: [Header (5)] + [Explicit IV (8)] + [Ciphertext] + [Tag (16)]
>    TLS 1.3: [Header (5)] + [Ciphertext + ContentType (1)] + [Tag (16)]
> 
> The key difference is that TLS 1.3 eliminates the explicit IV and
> instead appends the content type byte to the plaintext before
> encryption. This content type byte must be encrypted along with the
> payload for proper authentication tag computation per RFC 8446.
> 
> Patch 1: TLS 1.3 hardware offload support
> =========================================
> Changes to tls_device.c, tls_device_fallback.c, and tls_main.c:
> 
> - Extended version validation to accept TLS_1_3_VERSION in both
>    tls_set_device_offload() and tls_set_device_offload_rx()
> - Modified tls_device_record_close() to append the content type
>    byte before the authentication tag for TLS 1.3 records
> - Modified tls_device_reencrypt() to use prot->prepend_size and
>    prot->tag_size instead of hardcoded TLS 1.2 values
> - Pre-populated dummy_page with all 256 byte values for memory
>    allocation failure fallback path
> - Updated tls_device_fallback.c to handle TLS 1.3 IV construction
>    (XOR with sequence number) and version-specific AAD sizes
> - Rekey handling: HW offload key update (rekey) is not yet supported.
> 
> Patch 2: Hardware offload key update support
> ============================================
> Changes to include/net/tls.h, net/tls/tls.h, tls_device.c, tls_main.c,
> and tls_sw.c:
> 
> - Extended tls_set_device_offload() and tls_set_device_offload_rx()
>    with new_crypto_info parameter for key updates
> - During rekey, the old HW context is deleted (tls_dev_del) and a new
>    one is added (tls_dev_add) with the updated key material
> - Graceful degradation: if HW key update fails, the connection
>    gracefully degrades to software:
>    * TX: TLS_TX_DEV_CLOSED is set and sk_validate_xmit_skb switches to
>      tls_validate_xmit_skb_sw for software encryption
>    * RX: TLS_RX_DEV_DEGRADED and TLS_RX_DEV_CLOSED are set for software
>      decryption
>    * In both cases, tx_conf/rx_conf remains TLS_HW
> - Record sequence management: during TX rekey, old pending records are
>    deleted and unacked_record_sn is reset to the new rec_seq
> - Split tls_set_sw_offload() into tls_sw_ctx_init() and
>    tls_sw_ctx_finalize() to allow the HW offload RX path to
>    initialize SW context first, attempt HW setup, then
>    finalize (memzero new_crypto_info, call tls_finish_key_update)
> - Added TLS_TX_DEV_CLOSED flag to track TX hardware context state,
>    to avoid double tls_dev_del call, symmetric with existing
>    TLS_RX_DEV_CLOSED.
> 
> Patch 3: mlx5 driver enablement
> ===============================
> - TLS 1.3 version detection and validation with proper capability checking
> - TLS 1.3 crypto context configuration using MLX5E_STATIC_PARAMS_CONTEXT_TLS_1_3
> - Correct IV handling for TLS 1.3 (12-byte IV vs TLS 1.2's 4-byte salt)
> - Hardware offload for both TLS 1.3 AES-GCM-128 and AES-GCM-256
> 
> Testing
> =======
> Tested on Mellanox ConnectX-6 Dx (Crypto Enabled).
> 
> Both TX and RX hardware offload verified working with:
> - TLS 1.3 AES-GCM-128
> - TLS 1.3 AES-GCM-256
> - Multiple KeyUpdate cycles (rekey)
> 
> Test methodology: ktls_test : https://github.com/insanum/ktls_test/tree/master
> 
> Please review and provide feedback.
> 

Hi Rishikesh,

This version doesn't compile for us.
A few comments that we wanted to share on V3, but I'll share here as 
this is the latest:

We tested V3 and a few issues were spotted.
We did not debug them though...

We run a server/client test with nginx and wrk.

a.
When requesting 128-bit key, ss output shows "cipher: aes-gcm-256" for 
the respective connection.
For TLS 1.2 it works fine.

b.
On the wrk side, the mlx5 rx_tls_ctx did not increase (meaning no 
offloaded connections were opened). It works fine on the nginx side 
however...
For TLS 1.2 it works fine.

We can share more info if needed.

Regards,
Tariq

> Thanks,
> Rishikesh
> 
> v4:
>    - Split single TLS patch into two separate patches:
>      * Patch 1: TLS 1.3 basic HW offload support
>      * Patch 2: HW offload key update (rekey) support with graceful degradation
>    - Removed record_type check from tls_device_record_close()
>    - Removed Broadcom bnxt_en out-of-tree driver mention
>    - Link to v3: https://lore.kernel.org/netdev/20260102184708.24618-1-rjethwani@purestorage.com/
> 
> v3:
>    - Added note about Broadcom bnxt_en out-of-tree driver used for testing
>    - Link to v2: https://lore.kernel.org/netdev/20251231192322.3791912-1-rjethwani@purestorage.com/
> 
> v2:
>    - Fixed reverse Christmas tree ordering in variable declarations
>    - Combined 'err' and 'i' declarations (reviewer feedback)
>    - Link to v1: https://lore.kernel.org/netdev/20251230224137.3600355-1-rjethwani@purestorage.com/
> 
> Rishikesh Jethwani (3):
>    tls: add TLS 1.3 hardware offload support
>    tls: add hardware offload key update support
>    mlx5: TLS 1.3 hardware offload support
> 
>   .../mellanox/mlx5/core/en_accel/ktls.h        |   8 +-
>   .../mellanox/mlx5/core/en_accel/ktls_txrx.c   |  14 +-
>   include/net/tls.h                             |   4 +
>   net/tls/tls.h                                 |  14 +-
>   net/tls/tls_device.c                          | 319 +++++++++++++-----
>   net/tls/tls_device_fallback.c                 |  34 +-
>   net/tls/tls_main.c                            |  31 +-
>   net/tls/tls_sw.c                              |  77 +++--
>   8 files changed, 379 insertions(+), 122 deletions(-)
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ