[crypto 0/4] Inline TLS client and v6 support

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [crypto 0/4] Inline TLS client and v6 support
@ 2019-04-09 15:22 Atul Gupta
  2019-04-09 18:01 ` Jakub Kicinski
  0 siblings, 1 reply; 10+ messages in thread
From: Atul Gupta @ 2019-04-09 15:22 UTC (permalink / raw)
  To: herbert, davem, linux-crypto, netdev, dt, atul.gupta

Extends Inline TLS record processing to TLS client. connect
API is added to tls_context to setup hardware for TLS
connection and handshake. Functionality wise, this makes the solution
end-to-end Inline TLS capable. TLS server and client
can operate in Inline mode and leverage hardware for complete
TLS record offload.
[0004] Adds the IPv6 support for Inline TLS server/client.

RFC series for this patch was created against net-next and 
submitted on 18 Jan'2019.
This series is created against Herbert branch.

Atul Gupta (4):
  net/tls: connect routine for Inine TLS Client
  crypto/chelsio/chtls: hardware connect API
  crypto/chelsio/chtls: CPL for TLS client
  IPv6 changes for Inline TLS

 drivers/crypto/chelsio/chtls/chtls.h          |   18 +-
 drivers/crypto/chelsio/chtls/chtls_cm.c       | 1263 ++++++++++++++++++++++---
 drivers/crypto/chelsio/chtls/chtls_cm.h       |   12 +-
 drivers/crypto/chelsio/chtls/chtls_hw.c       |    7 +-
 drivers/crypto/chelsio/chtls/chtls_io.c       |   51 +-
 drivers/crypto/chelsio/chtls/chtls_main.c     |  164 +++-
 drivers/net/ethernet/chelsio/cxgb4/t4_msg.h   |   18 +
 drivers/net/ethernet/chelsio/cxgb4/t4fw_api.h |    2 +
 include/net/tls.h                             |    6 +
 include/net/transp_v6.h                       |    7 +
 net/core/secure_seq.c                         |    1 +
 net/ipv6/tcp_ipv6.c                           |   26 +-
 net/tls/tls_main.c                            |   23 +
 13 files changed, 1442 insertions(+), 156 deletions(-)

-- 
1.8.3.1


^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: [crypto 0/4] Inline TLS client and v6 support
  2019-04-09 15:22 [crypto 0/4] Inline TLS client and v6 support Atul Gupta
@ 2019-04-09 18:01 ` Jakub Kicinski
  2019-04-10  5:26   ` Atul Gupta
  0 siblings, 1 reply; 10+ messages in thread
From: Jakub Kicinski @ 2019-04-09 18:01 UTC (permalink / raw)
  To: Atul Gupta; +Cc: herbert, davem, linux-crypto, netdev, dt

On Tue,  9 Apr 2019 08:22:34 -0700, Atul Gupta wrote:
> Extends Inline TLS record processing to TLS client. connect
> API is added to tls_context to setup hardware for TLS
> connection and handshake. Functionality wise, this makes the solution
> end-to-end Inline TLS capable. TLS server and client
> can operate in Inline mode and leverage hardware for complete
> TLS record offload.
> [0004] Adds the IPv6 support for Inline TLS server/client.
> 
> RFC series for this patch was created against net-next and 
> submitted on 18 Jan'2019.
> This series is created against Herbert branch.

Sorry if someone already asked this, but is your HW doing full ToE 
for all this TLS "record offload" stuff?

^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: [crypto 0/4] Inline TLS client and v6 support
  2019-04-09 18:01 ` Jakub Kicinski
@ 2019-04-10  5:26   ` Atul Gupta
  2019-04-10 15:58     ` Jakub Kicinski
  0 siblings, 1 reply; 10+ messages in thread
From: Atul Gupta @ 2019-04-10  5:26 UTC (permalink / raw)
  To: Jakub Kicinski; +Cc: herbert, davem, linux-crypto, netdev, dt


On 4/9/2019 11:31 PM, Jakub Kicinski wrote:
> On Tue,  9 Apr 2019 08:22:34 -0700, Atul Gupta wrote:
>> Extends Inline TLS record processing to TLS client. connect
>> API is added to tls_context to setup hardware for TLS
>> connection and handshake. Functionality wise, this makes the solution
>> end-to-end Inline TLS capable. TLS server and client
>> can operate in Inline mode and leverage hardware for complete
>> TLS record offload.
>> [0004] Adds the IPv6 support for Inline TLS server/client.
>>
>> RFC series for this patch was created against net-next and 
>> submitted on 18 Jan'2019.
>> This series is created against Herbert branch.
> Sorry if someone already asked this, but is your HW doing full ToE 
> for all this TLS "record offload" stuff?

Yes Jakub

Thanks


^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: [crypto 0/4] Inline TLS client and v6 support
  2019-04-10  5:26   ` Atul Gupta
@ 2019-04-10 15:58     ` Jakub Kicinski
  2019-04-11  4:17       ` Atul Gupta
  0 siblings, 1 reply; 10+ messages in thread
From: Jakub Kicinski @ 2019-04-10 15:58 UTC (permalink / raw)
  To: Atul Gupta; +Cc: herbert, davem, linux-crypto, netdev, dt

On Wed, 10 Apr 2019 10:56:37 +0530, Atul Gupta wrote:
> On 4/9/2019 11:31 PM, Jakub Kicinski wrote:
> > On Tue,  9 Apr 2019 08:22:34 -0700, Atul Gupta wrote:  
> >> Extends Inline TLS record processing to TLS client. connect
> >> API is added to tls_context to setup hardware for TLS
> >> connection and handshake. Functionality wise, this makes the solution
> >> end-to-end Inline TLS capable. TLS server and client
> >> can operate in Inline mode and leverage hardware for complete
> >> TLS record offload.
> >> [0004] Adds the IPv6 support for Inline TLS server/client.
> >>
> >> RFC series for this patch was created against net-next and 
> >> submitted on 18 Jan'2019.
> >> This series is created against Herbert branch.  
> > Sorry if someone already asked this, but is your HW doing full ToE 
> > for all this TLS "record offload" stuff?  
> 
> Yes Jakub

So from what I grok you already feed all the data directly to the
socket completely bypassing the lower layers of the networking stack,
and with this patch set you'd also move 3WHS into the FW?

^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: [crypto 0/4] Inline TLS client and v6 support
  2019-04-10 15:58     ` Jakub Kicinski
@ 2019-04-11  4:17       ` Atul Gupta
  2019-04-11 16:40         ` Jakub Kicinski
  0 siblings, 1 reply; 10+ messages in thread
From: Atul Gupta @ 2019-04-11  4:17 UTC (permalink / raw)
  To: Jakub Kicinski; +Cc: herbert, davem, linux-crypto, netdev, dt


On 4/10/2019 9:28 PM, Jakub Kicinski wrote:
> On Wed, 10 Apr 2019 10:56:37 +0530, Atul Gupta wrote:
>> On 4/9/2019 11:31 PM, Jakub Kicinski wrote:
>>> On Tue,  9 Apr 2019 08:22:34 -0700, Atul Gupta wrote:  
>>>> Extends Inline TLS record processing to TLS client. connect
>>>> API is added to tls_context to setup hardware for TLS
>>>> connection and handshake. Functionality wise, this makes the solution
>>>> end-to-end Inline TLS capable. TLS server and client
>>>> can operate in Inline mode and leverage hardware for complete
>>>> TLS record offload.
>>>> [0004] Adds the IPv6 support for Inline TLS server/client.
>>>>
>>>> RFC series for this patch was created against net-next and 
>>>> submitted on 18 Jan'2019.
>>>> This series is created against Herbert branch.  
>>> Sorry if someone already asked this, but is your HW doing full ToE 
>>> for all this TLS "record offload" stuff?  
>> Yes Jakub
> So from what I grok you already feed all the data directly to the
> socket completely bypassing the lower layers of the networking stack,
> and with this patch set you'd also move 3WHS into the FW?
Yes, that's correct.

^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: [crypto 0/4] Inline TLS client and v6 support
  2019-04-11  4:17       ` Atul Gupta
@ 2019-04-11 16:40         ` Jakub Kicinski
       [not found]           ` <ae56c100-d072-bf6b-465a-5136d29b84be@chelsio.com>
  0 siblings, 1 reply; 10+ messages in thread
From: Jakub Kicinski @ 2019-04-11 16:40 UTC (permalink / raw)
  To: Atul Gupta, herbert; +Cc: davem, linux-crypto, netdev, dt

On Thu, 11 Apr 2019 09:47:09 +0530, Atul Gupta wrote:
> On 4/10/2019 9:28 PM, Jakub Kicinski wrote:
> > On Wed, 10 Apr 2019 10:56:37 +0530, Atul Gupta wrote:  
> >> On 4/9/2019 11:31 PM, Jakub Kicinski wrote:  
> >>> On Tue,  9 Apr 2019 08:22:34 -0700, Atul Gupta wrote:    
> >>>> Extends Inline TLS record processing to TLS client. connect
> >>>> API is added to tls_context to setup hardware for TLS
> >>>> connection and handshake. Functionality wise, this makes the solution
> >>>> end-to-end Inline TLS capable. TLS server and client
> >>>> can operate in Inline mode and leverage hardware for complete
> >>>> TLS record offload.
> >>>> [0004] Adds the IPv6 support for Inline TLS server/client.
> >>>>
> >>>> RFC series for this patch was created against net-next and 
> >>>> submitted on 18 Jan'2019.
> >>>> This series is created against Herbert branch.    
> >>> Sorry if someone already asked this, but is your HW doing full ToE 
> >>> for all this TLS "record offload" stuff?    
> >> Yes Jakub  
> > So from what I grok you already feed all the data directly to the
> > socket completely bypassing the lower layers of the networking stack,
> > and with this patch set you'd also move 3WHS into the FW?  
> Yes, that's correct.

I believe then it's a no-go from netdev perspective.

^ permalink raw reply	[flat|nested] 10+ messages in thread

[parent not found: <ae56c100-d072-bf6b-465a-5136d29b84be@chelsio.com>]

* Re: [crypto 0/4] Inline TLS client and v6 support
       [not found]           ` <ae56c100-d072-bf6b-465a-5136d29b84be@chelsio.com>
@ 2019-04-11 18:45             ` Jakub Kicinski
  2019-04-11 18:52               ` David Miller
  0 siblings, 1 reply; 10+ messages in thread
From: Jakub Kicinski @ 2019-04-11 18:45 UTC (permalink / raw)
  To: Atul Gupta; +Cc: herbert, davem, linux-crypto, netdev, dt

On Thu, 11 Apr 2019 23:13:08 +0530, Atul Gupta wrote:
> On 4/11/2019 10:10 PM, Jakub Kicinski wrote:
> > On Thu, 11 Apr 2019 09:47:09 +0530, Atul Gupta wrote:  
> >> On 4/10/2019 9:28 PM, Jakub Kicinski wrote:  
> >>> On Wed, 10 Apr 2019 10:56:37 +0530, Atul Gupta wrote:    
> >>>> On 4/9/2019 11:31 PM, Jakub Kicinski wrote:    
> >>>>> On Tue,  9 Apr 2019 08:22:34 -0700, Atul Gupta wrote:      
> >>>>>> Extends Inline TLS record processing to TLS client. connect
> >>>>>> API is added to tls_context to setup hardware for TLS
> >>>>>> connection and handshake. Functionality wise, this makes the solution
> >>>>>> end-to-end Inline TLS capable. TLS server and client
> >>>>>> can operate in Inline mode and leverage hardware for complete
> >>>>>> TLS record offload.
> >>>>>> [0004] Adds the IPv6 support for Inline TLS server/client.
> >>>>>>
> >>>>>> RFC series for this patch was created against net-next and 
> >>>>>> submitted on 18 Jan'2019.
> >>>>>> This series is created against Herbert branch.      
> >>>>> Sorry if someone already asked this, but is your HW doing full ToE 
> >>>>> for all this TLS "record offload" stuff?      
> >>>> Yes Jakub    
> >>> So from what I grok you already feed all the data directly to the
> >>> socket completely bypassing the lower layers of the networking stack,
> >>> and with this patch set you'd also move 3WHS into the FW?    
> >> Yes, that's correct.  
> > I believe then it's a no-go from netdev perspective.  
>
> Inline TLS record offload path is kept out of netdev and leverages
> offload capabilities for crypto

Inline TLS record offload path bypasses the networking stack and feeds
data directly into the socket.  If we also allow offloading 3WHS the
connection will become invisible to the stack, queueing, packet
filtering etc.

I think the "netdev community" feels pretty strongly about preventing
protocol ossification and bypassing crucial parts of the infrastructure.

^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: [crypto 0/4] Inline TLS client and v6 support
  2019-04-11 18:45             ` Jakub Kicinski
@ 2019-04-11 18:52               ` David Miller
  2019-04-15  9:10                 ` Atul Gupta
  0 siblings, 1 reply; 10+ messages in thread
From: David Miller @ 2019-04-11 18:52 UTC (permalink / raw)
  To: jakub.kicinski; +Cc: atul.gupta, herbert, linux-crypto, netdev, dt

From: Jakub Kicinski <jakub.kicinski@netronome.com>
Date: Thu, 11 Apr 2019 11:45:06 -0700

> I think the "netdev community" feels pretty strongly about preventing
> protocol ossification and bypassing crucial parts of the infrastructure.

Correct.

^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: [crypto 0/4] Inline TLS client and v6 support
  2019-04-11 18:52               ` David Miller
@ 2019-04-15  9:10                 ` Atul Gupta
  2019-04-15  9:36                   ` Herbert Xu
  0 siblings, 1 reply; 10+ messages in thread
From: Atul Gupta @ 2019-04-15  9:10 UTC (permalink / raw)
  To: David Miller, jakub.kicinski; +Cc: herbert, linux-crypto, netdev, dt

On 4/12/2019 12:22 AM, David Miller wrote:
> From: Jakub Kicinski <jakub.kicinski@netronome.com>
> Date: Thu, 11 Apr 2019 11:45:06 -0700
>
>> I think the "netdev community" feels pretty strongly about preventing
>> protocol ossification and bypassing crucial parts of the infrastructure.
> Correct.

I understand the concern, the objective of complete offload of TLS record is an option to kTLS and other solutions. Have taken care to keep code out of netdev into crypto driver and allow user to choose record offload capability. Application buffer from socket is posted to HW for encryption, Segmentation and Tx on wire. The path provides near line-rate [100Gbps] Inline encrypt/decrypt b/w. If community feels this path adds value and can sit in crypto driver then I will work on build comments and resend v1?

Regards

Atul

^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: [crypto 0/4] Inline TLS client and v6 support
  2019-04-15  9:10                 ` Atul Gupta
@ 2019-04-15  9:36                   ` Herbert Xu
  0 siblings, 0 replies; 10+ messages in thread
From: Herbert Xu @ 2019-04-15  9:36 UTC (permalink / raw)
  To: Atul Gupta; +Cc: David Miller, jakub.kicinski, linux-crypto, netdev, dt

On Mon, Apr 15, 2019 at 02:40:03PM +0530, Atul Gupta wrote:
>
> Have taken care to keep code out of netdev into crypto driver
> and allow user to choose record offload capability.

Excuse me but the crypto driver is not a dumping ground for code
that is unacceptable for the network stack.  If it's unacceptable
for netdev then it's unacceptable to include them in your crypto
driver.

Cheers,
-- 
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

^ permalink raw reply	[flat|nested] 10+ messages in thread

end of thread, other threads:[~2019-04-15  9:36 UTC | newest]

Thread overview: 10+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-04-09 15:22 [crypto 0/4] Inline TLS client and v6 support Atul Gupta
2019-04-09 18:01 ` Jakub Kicinski
2019-04-10  5:26   ` Atul Gupta
2019-04-10 15:58     ` Jakub Kicinski
2019-04-11  4:17       ` Atul Gupta
2019-04-11 16:40         ` Jakub Kicinski
     [not found]           ` <ae56c100-d072-bf6b-465a-5136d29b84be@chelsio.com>
2019-04-11 18:45             ` Jakub Kicinski
2019-04-11 18:52               ` David Miller
2019-04-15  9:10                 ` Atul Gupta
2019-04-15  9:36                   ` Herbert Xu

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).