From: Sabrina Dubroca <sd@queasysnail.net>
To: Rishikesh Jethwani <rjethwani@purestorage.com>
Cc: netdev@vger.kernel.org, saeedm@nvidia.com, tariqt@nvidia.com,
mbloch@nvidia.com, borisp@nvidia.com, john.fastabend@gmail.com,
kuba@kernel.org, davem@davemloft.net, pabeni@redhat.com,
edumazet@google.com, leon@kernel.org
Subject: Re: [PATCH v13 6/6] selftests: net: add TLS hardware offload test
Date: Wed, 6 May 2026 19:07:23 +0200 [thread overview]
Message-ID: <aft1S8uBtoyiDdmm@krikkit> (raw)
In-Reply-To: <20260429181016.3164935-7-rjethwani@purestorage.com>
2026-04-29, 12:10:16 -0600, Rishikesh Jethwani wrote:
[...]
> +static int do_client(void)
> +{
Both this and do_server could be refactored into a few nice helpers
(prep the socket up to connect+ulp/accept+ulp, echo handling, rekey,
payload verification on RX).
[...]
> + for (i = 1; i <= num_iterations; i++) {
> + int this_size;
> +
> + if (random_size_max > 0)
> + this_size = (rand() % random_size_max) + 1;
> + else
> + this_size = send_size;
> +
> + /* In burst mode, use a per-iteration fill pattern so the
> + * receiver can detect any plaintext corruption without a
> + * round-trip echo.
> + */
> + if (burst_mode) {
> + memset(buf, i & 0xFF, this_size);
> + } else {
> + for (j = 0; j < this_size; j++)
> + buf[j] = rand() & 0xFF;
> + }
> +
> + n = send(csk, buf, this_size, 0);
> + if (n != this_size) {
> + printf("FAIL: send failed: %s\n", strerror(errno));
> + goto out;
> + }
> + /* Throttle per-iteration progress lines on long burst runs so
> + * stdout over ssh doesn't become the bottleneck.
I'm not sure those lines have enough benefit in burst mode to be worth
printing. (same on the server side)
> +static int do_server(void)
> +{
[...]
> + while (1) {
[...]
> + /* Burst mode: verify payload matches the client's fill
> + * pattern. TLS record boundaries may differ from send()
> + * boundaries, so walk the received buffer in chunks that
> + * fit within the current iteration's remaining bytes.
> + * Catches decrypt-succeeded-but-plaintext-corrupt bugs
> + * that AEAD counters alone would miss.
> + */
> + if (burst_mode) {
> + int off = 0;
> +
> + while (off < n) {
This would be a good deal simpler if you passed MSG_WAITALL to the
recvmsg call in burst mode. Then you'd get the full chunk of data for
that iteration.
[...]
> +static void print_usage(const char *prog)
> +{
> + printf("TLS Hardware Offload Two-Node Test\n\n");
> + printf("Usage:\n");
> + printf(" %s server [OPTIONS]\n", prog);
> + printf(" %s client -s <ip> [OPTIONS]\n", prog);
> + printf("\nOptions:\n");
> + printf(" -s <ip> Server IPv4 address (client, required)\n");
> + printf(" -p <port> Server port (default: 4433)\n");
> + printf(" -b <size> Send buffer size in bytes (default: 16384)\n");
> + printf(" -r <max> Use random send buffer sizes (1..<max>)\n");
> + printf(" -v <version> TLS version: 1.2 or 1.3 (default: 1.3)\n");
> + printf(" -c <cipher> Cipher: 128 or 256 (default: 128)\n");
> + printf(" -n <N> Number of send/echo iterations (default: 100)\n");
> + printf(" -k <N> Perform N rekeys (client only, TLS 1.3; N < iterations)\n");
> + printf(" -B Burst mode: client sends continuously without echo;\n");
> + printf(" server drains and handles KeyUpdate without responding.\n");
> + printf(" -Z Enable zero-copy RX (TLS_RX_EXPECT_NO_PAD);\n");
This is misleading, since zero-copy RX will be enabled by default for 1.2.
> diff --git a/tools/testing/selftests/drivers/net/hw/tls_hw_offload.py b/tools/testing/selftests/drivers/net/hw/tls_hw_offload.py
> new file mode 100755
> index 000000000000..f12da0e66afd
> --- /dev/null
> +++ b/tools/testing/selftests/drivers/net/hw/tls_hw_offload.py
[...]
> +def verify_tls_counters(stats_before, stats_after, expected_rekeys,
> + tls_role, is_dut, burst=False):
> + """Verify TLS counters on one side of the connection.
Even with the introduction of the check_* helpers, this function still
has a lot of c/p'd code just depending on role and test mode.
> + tls_role: 'client' or 'server' (TLS role this side played).
> + is_dut: True for the local DUT; requires HW offload counters.
> + burst: burst mode - only the TLS client rotates its TX key; the TLS
> + server only follows with an RX rotation on KeyUpdate receipt.
> + """
> + errors = 0
> + role = 'DUT' if is_dut else 'Peer'
> +
> + # In burst mode only one direction carries TLS traffic per side
> + # (TLS client sends, TLS server receives). Check HW offload only on
> + # the active direction(s); require HW on the DUT's active direction.
> + if burst:
> + if tls_role == 'client':
> + errors += check_path(stats_before, stats_after, 'Tx', role,
> + require_hw=is_dut)
> + else:
> + errors += check_path(stats_before, stats_after, 'Rx', role,
> + require_hw=is_dut)
> + else:
> + errors += check_path(stats_before, stats_after, 'Tx', role,
> + require_hw=is_dut)
> + errors += check_path(stats_before, stats_after, 'Rx', role,
> + require_hw=is_dut)
# in burst mode, client does TX and server only does RX
# otherwise, both sides do both TX and RX
with_tx = not burst or tls_role == 'client':
with_rx = not burst or tls_role != 'client':
if with_tx:
check_path(Tx...)
if with_rx:
check_path(Rx...)
> + if expected_rekeys > 0:
> + if burst:
> + if tls_role == 'client':
> + errors += check_min(stats_before, stats_after,
> + 'TlsTxRekeyOk', expected_rekeys, role)
> + errors += check_zero(stats_before, stats_after,
> + 'TlsTxRekeyError', role)
and same for those
> + else:
> + errors += check_min(stats_before, stats_after,
> + 'TlsRxRekeyOk', expected_rekeys, role)
> + errors += check_min(stats_before, stats_after,
> + 'TlsRxRekeyReceived', expected_rekeys,
> + role)
> + errors += check_zero(stats_before, stats_after,
> + 'TlsRxRekeyError', role)
> + else:
> + errors += check_min(stats_before, stats_after,
> + 'TlsTxRekeyOk', expected_rekeys, role)
> + errors += check_min(stats_before, stats_after,
> + 'TlsRxRekeyOk', expected_rekeys, role)
> + if tls_role == 'server':
> + errors += check_min(stats_before, stats_after,
> + 'TlsRxRekeyReceived', expected_rekeys,
> + role)
Why are you restricting this to the server? The client should get as
many rekeys as it sends.
> + errors += check_zero(stats_before, stats_after,
> + 'TlsTxRekeyError', role)
> + errors += check_zero(stats_before, stats_after,
> + 'TlsRxRekeyError', role)
> +
> + errors += check_zero(stats_before, stats_after, 'TlsDecryptError', role)
> +
> + return errors == 0
--
Sabrina
prev parent reply other threads:[~2026-05-06 17:07 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-29 18:10 [PATCH net-next v13 0/6] tls: Add TLS 1.3 hardware offload support Rishikesh Jethwani
2026-04-29 18:10 ` [PATCH v13 1/6] net: tls: reject TLS 1.3 offload in chcr_ktls and nfp drivers Rishikesh Jethwani
2026-04-29 18:10 ` [PATCH v13 2/6] net/mlx5e: add TLS 1.3 hardware offload support Rishikesh Jethwani
2026-04-29 18:10 ` [PATCH v13 3/6] tls: " Rishikesh Jethwani
2026-04-29 18:10 ` [PATCH v13 4/6] tls: split tls_set_sw_offload into init and finalize stages Rishikesh Jethwani
2026-04-29 18:10 ` [PATCH v13 5/6] tls: add hardware offload key update support Rishikesh Jethwani
2026-05-05 8:40 ` Paolo Abeni
2026-05-05 8:41 ` Paolo Abeni
2026-05-06 10:37 ` Sabrina Dubroca
2026-05-06 11:30 ` Sabrina Dubroca
[not found] ` <CAKaoeS2=W-WFxAmo2M_FOzS4d65L-1WM+3CJ2x3dy0U0NvMapA@mail.gmail.com>
2026-05-21 13:57 ` Sabrina Dubroca
2026-04-29 18:10 ` [PATCH v13 6/6] selftests: net: add TLS hardware offload test Rishikesh Jethwani
2026-05-06 17:07 ` Sabrina Dubroca [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aft1S8uBtoyiDdmm@krikkit \
--to=sd@queasysnail.net \
--cc=borisp@nvidia.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=john.fastabend@gmail.com \
--cc=kuba@kernel.org \
--cc=leon@kernel.org \
--cc=mbloch@nvidia.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=rjethwani@purestorage.com \
--cc=saeedm@nvidia.com \
--cc=tariqt@nvidia.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.