From: Tariq Toukan <ttoukan.linux@gmail.com>
To: Daniel Zahka <daniel.zahka@gmail.com>,
Donald Hunter <donald.hunter@gmail.com>,
Jakub Kicinski <kuba@kernel.org>,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Paolo Abeni <pabeni@redhat.com>, Simon Horman <horms@kernel.org>,
Jonathan Corbet <corbet@lwn.net>,
Andrew Lunn <andrew+netdev@lunn.ch>
Cc: "Saeed Mahameed" <saeedm@nvidia.com>,
"Leon Romanovsky" <leon@kernel.org>,
"Tariq Toukan" <tariqt@nvidia.com>,
"Boris Pismenny" <borisp@nvidia.com>,
"Kuniyuki Iwashima" <kuniyu@google.com>,
"Willem de Bruijn" <willemb@google.com>,
"David Ahern" <dsahern@kernel.org>,
"Neal Cardwell" <ncardwell@google.com>,
"Patrisious Haddad" <phaddad@nvidia.com>,
"Raed Salem" <raeds@nvidia.com>,
"Jianbo Liu" <jianbol@nvidia.com>,
"Dragos Tatulea" <dtatulea@nvidia.com>,
"Rahul Rameshbabu" <rrameshbabu@nvidia.com>,
"Stanislav Fomichev" <sdf@fomichev.me>,
"Toke Høiland-Jørgensen" <toke@redhat.com>,
"Alexander Lobakin" <aleksander.lobakin@intel.com>,
"Jacob Keller" <jacob.e.keller@intel.com>,
netdev@vger.kernel.org
Subject: Re: [PATCH v3 00/19] add basic PSP encryption for TCP connections
Date: Thu, 3 Jul 2025 16:30:34 +0300 [thread overview]
Message-ID: <74db3f48-95c2-4f94-affa-7932e7593f17@gmail.com> (raw)
In-Reply-To: <20250702171326.3265825-1-daniel.zahka@gmail.com>
On 02/07/2025 20:13, Daniel Zahka wrote:
> This is v3 of the PSP RFC [1] posted by Jakub Kicinski one year
> ago. General developments since v1 include a fork of packetdrill [2]
> with support for PSP added, as well as some test cases, and an
> implementation of PSP key exchange and connection upgrade [3]
> integrated into the fbthrift RPC library. Both [2] and [3] have been
> tested on server platforms with PSP-capable CX7 NICs. Below is the
> cover letter from the original RFC:
>
> Add support for PSP encryption of TCP connections.
>
> PSP is a protocol out of Google:
> https://github.com/google/psp/blob/main/doc/PSP_Arch_Spec.pdf
> which shares some similarities with IPsec. I added some more info
> in the first patch so I'll keep it short here.
>
> The protocol can work in multiple modes including tunneling.
> But I'm mostly interested in using it as TLS replacement because
> of its superior offload characteristics. So this patch does three
> things:
>
> - it adds "core" PSP code
> PSP is offload-centric, and requires some additional care and
> feeding, so first chunk of the code exposes device info.
> This part can be reused by PSP implementations in xfrm, tunneling etc.
>
> - TCP integration TLS style
> Reuse some of the existing concepts from TLS offload, such as
> attaching crypto state to a socket, marking skbs as "decrypted",
> egress validation. PSP does not prescribe key exchange protocols.
> To use PSP as a more efficient TLS offload we intend to perform
> a TLS handshake ("inline" in the same TCP connection) and negotiate
> switching to PSP based on capabilities of both endpoints.
> This is also why I'm not including a software implementation.
> Nobody would use it in production, software TLS is faster,
> it has larger crypto records.
>
> - mlx5 implementation
> That's mostly other people's work, not 100% sure those folks
> consider it ready hence the RFC in the title. But it works :)
>
> Not posted, queued a branch [4] are follow up pieces:
> - standard stats
> - netdevsim implementation and tests
>
> [1] https://lore.kernel.org/netdev/20240510030435.120935-1-kuba@kernel.org/
> [2] https://github.com/danieldzahka/packetdrill
> [3] https://github.com/danieldzahka/fbthrift/tree/dzahka/psp
> [4] https://github.com/kuba-moo/linux/tree/psp
>
> Comments we intend to defer to future series:
> - using INDIRECT_CALL for tls/psp in sk_validate_xmit_skb(). We
> prefer to address this in a dedicated patch series, so that this
> series does not need to modify the way tls_validate_xmit_skb() is
> declared and stubbed out.
>
> CHANGES:
> v3:
> - move psp_rcv() and psp_encapsulate() driver helpers into
> psp_main.c
> - lift pse/pas comparison code into new function:
> psp_pse_matches_pas()
> - explicitly mark rcu critical section psp_reply_set_decrypted()
> - use rcu_dereference_proteced() instead of rcu_read_lock() in
> psp_sk_assoc_free() and psp_twsk_assoc_free()
> - rename psp_is_nondata() to psp_is_allowed_nondata()
> - psp_reply_set_decrypted() should not call psp_sk_assoc(). Call
> psp_sk_get_assoc_rcu() instead.
> - lift common code from timewait and regular socks into new
> function psp_sk_get_assoc_rcu()
> - export symbols in psp_sock.c with EXPORT_IPV6_MOD_GPL()
> - check for sk_is_inet() before casting to inet_twsk() in
> sk_validate_xmit() and in psp_get_assoc_rcu()
> - psp_reply_set_decrypted() does not use stuct sock* arg. Drop it.
> - reword driver requirement about double rotating keys when the device
> supports requesting arbitrary spi key pairs.
>
> v2: https://lore.kernel.org/netdev/20250625135210.2975231-1-daniel.zahka@gmail.com/
> - add pas->dev_id == pse->dev_id to policy checks
> - __psp_sk_rx_policy_check() now allows pure ACKs, FINs, and RSTs to
> be non-psp authenticated before "PSP Full" state.
> - assign tw_validate_skb funtion during psp_twsk_init()
> - psp_skb_get_rcu() also checks if sk is a tcp timewait sock when
> looking for psp assocs.
> - scan ofo queue non-psp data during psp_sock_recv_queue_check()
> - add tcp_write_collapse_fence() to psp_sock_assoc_set_tx()
> - Add psp_reply_set_decrypted() to encapsulate ACKs, FINs, and RSTs
> sent from control socks on behalf of full or timewait socks with PSP
> state.
> - Add dev_id field to psp_skb_ext
> - Move psp_assoc from struct tcp_timewait_sock to struct
> inet_timewait_sock
> - Move psp_sk_assoc_free() from sk_common_release() to
> inet_sock_destruct()
> - add documentation about MITM deletion attack, and expectation
> from userspace
> - add information about accepting clear text ACKs, RSTs, and FINs
> to `Securing Connections` section.
>
> v1: https://lore.kernel.org/netdev/20240510030435.120935-1-kuba@kernel.org/
>
> Daniel Zahka (2):
> net: move sk_validate_xmit_skb() to net/core/dev.c
> net: tcp: allow tcp_timewait_sock to validate skbs before handing to
> device
>
> Jakub Kicinski (8):
> psp: add documentation
> psp: base PSP device support
> net: modify core data structures for PSP datapath support
> tcp: add datapath logic for PSP with inline key exchange
> psp: add op for rotation of device key
> net: psp: add socket security association code
> net: psp: update the TCP MSS to reflect PSP packet overhead
> psp: track generations of device key
>
> Raed Salem (9):
> net/mlx5e: Support PSP offload functionality
> net/mlx5e: Implement PSP operations .assoc_add and .assoc_del
> psp: provide encapsulation helper for drivers
> net/mlx5e: Implement PSP Tx data path
> net/mlx5e: Add PSP steering in local NIC RX
> net/mlx5e: Configure PSP Rx flow steering rules
> psp: provide decapsulation and receive helper for drivers
> net/mlx5e: Add Rx data path offload
> net/mlx5e: Implement PSP key_rotate operation
>
For the mlx5 parts:
Acked-by: Tariq Toukan <tariqt@nvidia.com>
Thanks.
> Documentation/netlink/specs/psp.yaml | 188 +++++
> Documentation/networking/index.rst | 1 +
> Documentation/networking/psp.rst | 183 +++++
> .../net/ethernet/mellanox/mlx5/core/Kconfig | 11 +
> .../net/ethernet/mellanox/mlx5/core/Makefile | 5 +-
> drivers/net/ethernet/mellanox/mlx5/core/en.h | 6 +-
> .../net/ethernet/mellanox/mlx5/core/en/fs.h | 2 +-
> .../ethernet/mellanox/mlx5/core/en/params.c | 4 +-
> .../mellanox/mlx5/core/en_accel/en_accel.h | 50 +-
> .../mellanox/mlx5/core/en_accel/ipsec_rxtx.h | 2 +-
> .../mellanox/mlx5/core/en_accel/psp.c | 209 +++++
> .../mellanox/mlx5/core/en_accel/psp.h | 55 ++
> .../mellanox/mlx5/core/en_accel/psp_fs.c | 736 ++++++++++++++++++
> .../mellanox/mlx5/core/en_accel/psp_fs.h | 30 +
> .../mellanox/mlx5/core/en_accel/psp_offload.c | 52 ++
> .../mellanox/mlx5/core/en_accel/psp_rxtx.c | 204 +++++
> .../mellanox/mlx5/core/en_accel/psp_rxtx.h | 125 +++
> .../net/ethernet/mellanox/mlx5/core/en_main.c | 9 +
> .../net/ethernet/mellanox/mlx5/core/en_rx.c | 50 +-
> .../net/ethernet/mellanox/mlx5/core/en_tx.c | 10 +-
> drivers/net/ethernet/mellanox/mlx5/core/fw.c | 6 +
> .../ethernet/mellanox/mlx5/core/lib/crypto.h | 1 +
> .../net/ethernet/mellanox/mlx5/core/main.c | 5 +
> drivers/net/ethernet/mellanox/mlx5/core/psp.c | 24 +
> drivers/net/ethernet/mellanox/mlx5/core/psp.h | 15 +
> include/linux/mlx5/device.h | 4 +
> include/linux/mlx5/driver.h | 2 +
> include/linux/mlx5/mlx5_ifc.h | 94 ++-
> include/linux/netdevice.h | 4 +
> include/linux/skbuff.h | 3 +
> include/net/dropreason-core.h | 6 +
> include/net/inet_timewait_sock.h | 8 +
> include/net/psp.h | 12 +
> include/net/psp/functions.h | 203 +++++
> include/net/psp/types.h | 187 +++++
> include/net/sock.h | 26 +-
> include/uapi/linux/psp.h | 66 ++
> net/Kconfig | 1 +
> net/Makefile | 1 +
> net/core/dev.c | 32 +
> net/core/gro.c | 2 +
> net/core/skbuff.c | 4 +
> net/ipv4/af_inet.c | 2 +
> net/ipv4/inet_timewait_sock.c | 6 +-
> net/ipv4/ip_output.c | 5 +-
> net/ipv4/tcp.c | 2 +
> net/ipv4/tcp_ipv4.c | 14 +-
> net/ipv4/tcp_minisocks.c | 16 +
> net/ipv4/tcp_output.c | 17 +-
> net/ipv6/ipv6_sockglue.c | 6 +-
> net/ipv6/tcp_ipv6.c | 17 +-
> net/psp/Kconfig | 15 +
> net/psp/Makefile | 5 +
> net/psp/psp-nl-gen.c | 119 +++
> net/psp/psp-nl-gen.h | 39 +
> net/psp/psp.h | 54 ++
> net/psp/psp_main.c | 254 ++++++
> net/psp/psp_nl.c | 517 ++++++++++++
> net/psp/psp_sock.c | 297 +++++++
> tools/net/ynl/Makefile.deps | 1 +
> 60 files changed, 3962 insertions(+), 62 deletions(-)
> create mode 100644 Documentation/netlink/specs/psp.yaml
> create mode 100644 Documentation/networking/psp.rst
> create mode 100644 drivers/net/ethernet/mellanox/mlx5/core/en_accel/psp.c
> create mode 100644 drivers/net/ethernet/mellanox/mlx5/core/en_accel/psp.h
> create mode 100644 drivers/net/ethernet/mellanox/mlx5/core/en_accel/psp_fs.c
> create mode 100644 drivers/net/ethernet/mellanox/mlx5/core/en_accel/psp_fs.h
> create mode 100644 drivers/net/ethernet/mellanox/mlx5/core/en_accel/psp_offload.c
> create mode 100644 drivers/net/ethernet/mellanox/mlx5/core/en_accel/psp_rxtx.c
> create mode 100644 drivers/net/ethernet/mellanox/mlx5/core/en_accel/psp_rxtx.h
> create mode 100644 drivers/net/ethernet/mellanox/mlx5/core/psp.c
> create mode 100644 drivers/net/ethernet/mellanox/mlx5/core/psp.h
> create mode 100644 include/net/psp.h
> create mode 100644 include/net/psp/functions.h
> create mode 100644 include/net/psp/types.h
> create mode 100644 include/uapi/linux/psp.h
> create mode 100644 net/psp/Kconfig
> create mode 100644 net/psp/Makefile
> create mode 100644 net/psp/psp-nl-gen.c
> create mode 100644 net/psp/psp-nl-gen.h
> create mode 100644 net/psp/psp.h
> create mode 100644 net/psp/psp_main.c
> create mode 100644 net/psp/psp_nl.c
> create mode 100644 net/psp/psp_sock.c
>
next prev parent reply other threads:[~2025-07-03 13:30 UTC|newest]
Thread overview: 52+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-07-02 17:13 [PATCH v3 00/19] add basic PSP encryption for TCP connections Daniel Zahka
2025-07-02 17:13 ` [PATCH v3 01/19] psp: add documentation Daniel Zahka
2025-07-06 14:46 ` Willem de Bruijn
2025-07-02 17:13 ` [PATCH v3 02/19] psp: base PSP device support Daniel Zahka
2025-07-06 15:31 ` Willem de Bruijn
2025-07-07 21:02 ` Jakub Kicinski
2025-07-08 1:08 ` Willem de Bruijn
2025-07-02 17:13 ` [PATCH v3 03/19] net: modify core data structures for PSP datapath support Daniel Zahka
2025-07-06 15:59 ` Willem de Bruijn
2025-07-02 17:13 ` [PATCH v3 04/19] tcp: add datapath logic for PSP with inline key exchange Daniel Zahka
2025-07-06 16:16 ` Willem de Bruijn
2025-07-07 18:12 ` Daniel Zahka
2025-07-08 1:11 ` Willem de Bruijn
2025-07-10 11:58 ` Daniel Zahka
2025-07-10 13:57 ` Willem de Bruijn
2025-07-02 17:13 ` [PATCH v3 05/19] psp: add op for rotation of device key Daniel Zahka
2025-07-06 16:17 ` Willem de Bruijn
2025-07-02 17:13 ` [PATCH v3 06/19] net: move sk_validate_xmit_skb() to net/core/dev.c Daniel Zahka
2025-07-06 16:20 ` Willem de Bruijn
2025-07-02 17:13 ` [PATCH v3 07/19] net: tcp: allow tcp_timewait_sock to validate skbs before handing to device Daniel Zahka
2025-07-06 16:23 ` Willem de Bruijn
2025-07-02 17:13 ` [PATCH v3 08/19] net: psp: add socket security association code Daniel Zahka
2025-07-06 16:47 ` Willem de Bruijn
2025-07-07 21:10 ` Jakub Kicinski
2025-07-14 15:10 ` Daniel Zahka
2025-07-07 21:20 ` Jakub Kicinski
2025-07-02 17:13 ` [PATCH v3 09/19] net: psp: update the TCP MSS to reflect PSP packet overhead Daniel Zahka
2025-07-06 16:49 ` Willem de Bruijn
2025-07-06 17:15 ` Willem de Bruijn
2025-07-02 17:13 ` [PATCH v3 10/19] psp: track generations of device key Daniel Zahka
2025-07-06 16:56 ` Willem de Bruijn
2025-07-07 21:19 ` Jakub Kicinski
2025-07-08 1:06 ` Willem de Bruijn
2025-07-02 17:13 ` [PATCH v3 11/19] net/mlx5e: Support PSP offload functionality Daniel Zahka
2025-07-11 12:54 ` Cosmin Ratiu
2025-07-11 17:41 ` Daniel Zahka
2025-07-02 17:13 ` [PATCH v3 12/19] net/mlx5e: Implement PSP operations .assoc_add and .assoc_del Daniel Zahka
2025-07-11 12:57 ` Cosmin Ratiu
2025-07-02 17:13 ` [PATCH v3 13/19] psp: provide encapsulation helper for drivers Daniel Zahka
2025-07-06 16:59 ` Willem de Bruijn
2025-07-02 17:13 ` [PATCH v3 14/19] net/mlx5e: Implement PSP Tx data path Daniel Zahka
2025-07-11 13:06 ` Cosmin Ratiu
2025-07-02 17:13 ` [PATCH v3 15/19] net/mlx5e: Add PSP steering in local NIC RX Daniel Zahka
2025-07-11 12:59 ` Cosmin Ratiu
2025-07-02 17:13 ` [PATCH v3 16/19] net/mlx5e: Configure PSP Rx flow steering rules Daniel Zahka
2025-07-02 17:13 ` [PATCH v3 17/19] psp: provide decapsulation and receive helper for drivers Daniel Zahka
2025-07-06 17:07 ` Willem de Bruijn
2025-07-02 17:13 ` [PATCH v3 18/19] net/mlx5e: Add Rx data path offload Daniel Zahka
2025-07-11 13:01 ` Cosmin Ratiu
2025-07-02 17:13 ` [PATCH v3 19/19] net/mlx5e: Implement PSP key_rotate operation Daniel Zahka
2025-07-03 13:30 ` Tariq Toukan [this message]
2025-07-11 13:11 ` [PATCH v3 00/19] add basic PSP encryption for TCP connections Cosmin Ratiu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=74db3f48-95c2-4f94-affa-7932e7593f17@gmail.com \
--to=ttoukan.linux@gmail.com \
--cc=aleksander.lobakin@intel.com \
--cc=andrew+netdev@lunn.ch \
--cc=borisp@nvidia.com \
--cc=corbet@lwn.net \
--cc=daniel.zahka@gmail.com \
--cc=davem@davemloft.net \
--cc=donald.hunter@gmail.com \
--cc=dsahern@kernel.org \
--cc=dtatulea@nvidia.com \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=jacob.e.keller@intel.com \
--cc=jianbol@nvidia.com \
--cc=kuba@kernel.org \
--cc=kuniyu@google.com \
--cc=leon@kernel.org \
--cc=ncardwell@google.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=phaddad@nvidia.com \
--cc=raeds@nvidia.com \
--cc=rrameshbabu@nvidia.com \
--cc=saeedm@nvidia.com \
--cc=sdf@fomichev.me \
--cc=tariqt@nvidia.com \
--cc=toke@redhat.com \
--cc=willemb@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.