From: Daniel Zahka <daniel.zahka@gmail.com>
To: Donald Hunter <donald.hunter@gmail.com>,
Jakub Kicinski <kuba@kernel.org>,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Paolo Abeni <pabeni@redhat.com>, Simon Horman <horms@kernel.org>,
Jonathan Corbet <corbet@lwn.net>,
Andrew Lunn <andrew+netdev@lunn.ch>
Cc: "Saeed Mahameed" <saeedm@nvidia.com>,
"Leon Romanovsky" <leon@kernel.org>,
"Tariq Toukan" <tariqt@nvidia.com>,
"Boris Pismenny" <borisp@nvidia.com>,
"Kuniyuki Iwashima" <kuniyu@google.com>,
"Willem de Bruijn" <willemb@google.com>,
"David Ahern" <dsahern@kernel.org>,
"Neal Cardwell" <ncardwell@google.com>,
"Patrisious Haddad" <phaddad@nvidia.com>,
"Raed Salem" <raeds@nvidia.com>,
"Jianbo Liu" <jianbol@nvidia.com>,
"Dragos Tatulea" <dtatulea@nvidia.com>,
"Rahul Rameshbabu" <rrameshbabu@nvidia.com>,
"Stanislav Fomichev" <sdf@fomichev.me>,
"Toke Høiland-Jørgensen" <toke@redhat.com>,
"Alexander Lobakin" <aleksander.lobakin@intel.com>,
"Kiran Kella" <kiran.kella@broadcom.com>,
"Jacob Keller" <jacob.e.keller@intel.com>,
netdev@vger.kernel.org
Subject: [PATCH net-next v7 09/19] net: psp: update the TCP MSS to reflect PSP packet overhead
Date: Wed, 20 Aug 2025 04:31:07 -0700 [thread overview]
Message-ID: <20250820113120.992829-10-daniel.zahka@gmail.com> (raw)
In-Reply-To: <20250820113120.992829-1-daniel.zahka@gmail.com>
From: Jakub Kicinski <kuba@kernel.org>
PSP eats 32B of header space. Adjust MSS appropriately.
We can either modify tcp_mtu_to_mss() / tcp_mss_to_mtu()
or reuse icsk_ext_hdr_len. The former option is more TCP
specific and has runtime overhead. The latter is a bit
of a hack as PSP is not an ext_hdr. If one squints hard
enough, UDP encap is just a more practical version of
IPv6 exthdr, so go with the latter. Happy to change.
Reviewed-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Daniel Zahka <daniel.zahka@gmail.com>
---
Notes:
v6:
- make psp_sk_overhead() add 40B of encapsulation overhead.
v1:
- https://lore.kernel.org/netdev/20240510030435.120935-8-kuba@kernel.org/
include/net/psp/functions.h | 14 ++++++++++++++
include/net/psp/types.h | 3 +++
net/ipv4/tcp_ipv4.c | 4 ++--
net/ipv6/ipv6_sockglue.c | 6 +++++-
net/ipv6/tcp_ipv6.c | 6 +++---
net/psp/psp_sock.c | 5 +++++
6 files changed, 32 insertions(+), 6 deletions(-)
diff --git a/include/net/psp/functions.h b/include/net/psp/functions.h
index bf703dcf353f..958c50dad34d 100644
--- a/include/net/psp/functions.h
+++ b/include/net/psp/functions.h
@@ -5,6 +5,7 @@
#include <linux/skbuff.h>
#include <linux/rcupdate.h>
+#include <linux/udp.h>
#include <net/sock.h>
#include <net/tcp.h>
#include <net/psp/types.h>
@@ -139,6 +140,14 @@ static inline struct psp_assoc *psp_skb_get_assoc_rcu(struct sk_buff *skb)
return psp_sk_get_assoc_rcu(skb->sk);
}
+
+static inline unsigned int psp_sk_overhead(const struct sock *sk)
+{
+ int psp_encap = sizeof(struct udphdr) + PSP_HDR_SIZE + PSP_TRL_SIZE;
+ bool has_psp = rcu_access_pointer(sk->psp_assoc);
+
+ return has_psp ? psp_encap : 0;
+}
#else
static inline void psp_sk_assoc_free(struct sock *sk) { }
static inline void
@@ -178,6 +187,11 @@ static inline struct psp_assoc *psp_skb_get_assoc_rcu(struct sk_buff *skb)
{
return NULL;
}
+
+static inline unsigned int psp_sk_overhead(const struct sock *sk)
+{
+ return 0;
+}
#endif
static inline unsigned long
diff --git a/include/net/psp/types.h b/include/net/psp/types.h
index b0e32e7165a3..f93ad0e6c04f 100644
--- a/include/net/psp/types.h
+++ b/include/net/psp/types.h
@@ -93,6 +93,9 @@ struct psp_dev_caps {
#define PSP_MAX_KEY 32
+#define PSP_HDR_SIZE 16 /* We don't support optional fields, yet */
+#define PSP_TRL_SIZE 16 /* AES-GCM/GMAC trailer size */
+
struct psp_skb_ext {
__be32 spi;
u16 dev_id;
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index 35e2a1ce87b8..3c3e8760f89b 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -293,9 +293,9 @@ int tcp_v4_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len)
inet->inet_dport = usin->sin_port;
sk_daddr_set(sk, daddr);
- inet_csk(sk)->icsk_ext_hdr_len = 0;
+ inet_csk(sk)->icsk_ext_hdr_len = psp_sk_overhead(sk);
if (inet_opt)
- inet_csk(sk)->icsk_ext_hdr_len = inet_opt->opt.optlen;
+ inet_csk(sk)->icsk_ext_hdr_len += inet_opt->opt.optlen;
tp->rx_opt.mss_clamp = TCP_MSS_DEFAULT;
diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c
index e66ec623972e..a61e742794f9 100644
--- a/net/ipv6/ipv6_sockglue.c
+++ b/net/ipv6/ipv6_sockglue.c
@@ -49,6 +49,7 @@
#include <net/xfrm.h>
#include <net/compat.h>
#include <net/seg6.h>
+#include <net/psp.h>
#include <linux/uaccess.h>
@@ -107,7 +108,10 @@ struct ipv6_txoptions *ipv6_update_options(struct sock *sk,
!((1 << sk->sk_state) & (TCPF_LISTEN | TCPF_CLOSE)) &&
inet_sk(sk)->inet_daddr != LOOPBACK4_IPV6) {
struct inet_connection_sock *icsk = inet_csk(sk);
- icsk->icsk_ext_hdr_len = opt->opt_flen + opt->opt_nflen;
+
+ icsk->icsk_ext_hdr_len =
+ psp_sk_overhead(sk) +
+ opt->opt_flen + opt->opt_nflen;
icsk->icsk_sync_mss(sk, icsk->icsk_pmtu_cookie);
}
}
diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
index 6a89edda31c7..adf83ec25b66 100644
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -302,10 +302,10 @@ static int tcp_v6_connect(struct sock *sk, struct sockaddr *uaddr,
sk->sk_gso_type = SKB_GSO_TCPV6;
ip6_dst_store(sk, dst, NULL, NULL);
- icsk->icsk_ext_hdr_len = 0;
+ icsk->icsk_ext_hdr_len = psp_sk_overhead(sk);
if (opt)
- icsk->icsk_ext_hdr_len = opt->opt_flen +
- opt->opt_nflen;
+ icsk->icsk_ext_hdr_len += opt->opt_flen +
+ opt->opt_nflen;
tp->rx_opt.mss_clamp = IPV6_MIN_MTU - sizeof(struct tcphdr) - sizeof(struct ipv6hdr);
diff --git a/net/psp/psp_sock.c b/net/psp/psp_sock.c
index 9b761d186e80..66abf160e16c 100644
--- a/net/psp/psp_sock.c
+++ b/net/psp/psp_sock.c
@@ -180,6 +180,7 @@ int psp_sock_assoc_set_tx(struct sock *sk, struct psp_dev *psd,
u32 version, struct psp_key_parsed *key,
struct netlink_ext_ack *extack)
{
+ struct inet_connection_sock *icsk;
struct psp_assoc *pas, *dummy;
int err;
@@ -236,6 +237,10 @@ int psp_sock_assoc_set_tx(struct sock *sk, struct psp_dev *psd,
tcp_write_collapse_fence(sk);
pas->upgrade_seq = tcp_sk(sk)->rcv_nxt;
+ icsk = inet_csk(sk);
+ icsk->icsk_ext_hdr_len += psp_sk_overhead(sk);
+ icsk->icsk_sync_mss(sk, icsk->icsk_pmtu_cookie);
+
exit_free_dummy:
kfree(dummy);
exit_unlock:
--
2.47.3
next prev parent reply other threads:[~2025-08-20 11:31 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-08-20 11:30 [PATCH net-next v7.0 00/19] add basic PSP encryption for TCP connections Daniel Zahka
2025-08-20 11:30 ` [PATCH net-next v7 01/19] psp: add documentation Daniel Zahka
2025-08-20 11:31 ` [PATCH net-next v7 02/19] psp: base PSP device support Daniel Zahka
2025-08-20 11:31 ` [PATCH net-next v7 03/19] net: modify core data structures for PSP datapath support Daniel Zahka
2025-08-20 11:31 ` [PATCH net-next v7 04/19] tcp: add datapath logic for PSP with inline key exchange Daniel Zahka
2025-08-20 11:31 ` [PATCH net-next v7 05/19] psp: add op for rotation of device key Daniel Zahka
2025-08-20 11:31 ` [PATCH net-next v7 06/19] net: move sk_validate_xmit_skb() to net/core/dev.c Daniel Zahka
2025-08-20 11:31 ` [PATCH net-next v7 07/19] net: tcp: allow tcp_timewait_sock to validate skbs before handing to device Daniel Zahka
2025-08-20 11:31 ` [PATCH net-next v7 08/19] net: psp: add socket security association code Daniel Zahka
2025-08-20 11:31 ` Daniel Zahka [this message]
2025-08-20 11:31 ` [PATCH net-next v7 10/19] psp: track generations of device key Daniel Zahka
2025-08-20 11:31 ` [PATCH net-next v7 11/19] net/mlx5e: Support PSP offload functionality Daniel Zahka
2025-08-20 11:31 ` [PATCH net-next v7 12/19] net/mlx5e: Implement PSP operations .assoc_add and .assoc_del Daniel Zahka
2025-08-20 11:31 ` [PATCH net-next v7 13/19] psp: provide encapsulation helper for drivers Daniel Zahka
2025-08-20 11:31 ` [PATCH net-next v7 14/19] net/mlx5e: Implement PSP Tx data path Daniel Zahka
2025-08-20 11:31 ` [PATCH net-next v7 15/19] net/mlx5e: Add PSP steering in local NIC RX Daniel Zahka
2025-08-20 11:31 ` [PATCH net-next v7 16/19] net/mlx5e: Configure PSP Rx flow steering rules Daniel Zahka
2025-08-20 11:31 ` [PATCH net-next v7 17/19] psp: provide decapsulation and receive helper for drivers Daniel Zahka
2025-08-20 11:31 ` [PATCH net-next v7 18/19] net/mlx5e: Add Rx data path offload Daniel Zahka
2025-08-20 11:31 ` [PATCH net-next v7 19/19] net/mlx5e: Implement PSP key_rotate operation Daniel Zahka
2025-08-20 14:06 ` [PATCH net-next v7.0 00/19] add basic PSP encryption for TCP connections Jakub Kicinski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250820113120.992829-10-daniel.zahka@gmail.com \
--to=daniel.zahka@gmail.com \
--cc=aleksander.lobakin@intel.com \
--cc=andrew+netdev@lunn.ch \
--cc=borisp@nvidia.com \
--cc=corbet@lwn.net \
--cc=davem@davemloft.net \
--cc=donald.hunter@gmail.com \
--cc=dsahern@kernel.org \
--cc=dtatulea@nvidia.com \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=jacob.e.keller@intel.com \
--cc=jianbol@nvidia.com \
--cc=kiran.kella@broadcom.com \
--cc=kuba@kernel.org \
--cc=kuniyu@google.com \
--cc=leon@kernel.org \
--cc=ncardwell@google.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=phaddad@nvidia.com \
--cc=raeds@nvidia.com \
--cc=rrameshbabu@nvidia.com \
--cc=saeedm@nvidia.com \
--cc=sdf@fomichev.me \
--cc=tariqt@nvidia.com \
--cc=toke@redhat.com \
--cc=willemb@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.