From: Daniel Zahka <daniel.zahka@gmail.com>
To: Donald Hunter <donald.hunter@gmail.com>,
Jakub Kicinski <kuba@kernel.org>,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Paolo Abeni <pabeni@redhat.com>, Simon Horman <horms@kernel.org>,
Jonathan Corbet <corbet@lwn.net>,
Andrew Lunn <andrew+netdev@lunn.ch>
Cc: "Saeed Mahameed" <saeedm@nvidia.com>,
"Leon Romanovsky" <leon@kernel.org>,
"Tariq Toukan" <tariqt@nvidia.com>,
"Boris Pismenny" <borisp@nvidia.com>,
"Kuniyuki Iwashima" <kuniyu@google.com>,
"Willem de Bruijn" <willemb@google.com>,
"David Ahern" <dsahern@kernel.org>,
"Neal Cardwell" <ncardwell@google.com>,
"Patrisious Haddad" <phaddad@nvidia.com>,
"Raed Salem" <raeds@nvidia.com>,
"Jianbo Liu" <jianbol@nvidia.com>,
"Dragos Tatulea" <dtatulea@nvidia.com>,
"Rahul Rameshbabu" <rrameshbabu@nvidia.com>,
"Stanislav Fomichev" <sdf@fomichev.me>,
"Toke Høiland-Jørgensen" <toke@redhat.com>,
"Alexander Lobakin" <aleksander.lobakin@intel.com>,
"Jacob Keller" <jacob.e.keller@intel.com>,
netdev@vger.kernel.org
Subject: [PATCH net-next v4 10/19] psp: track generations of device key
Date: Wed, 16 Jul 2025 07:45:31 -0700 [thread overview]
Message-ID: <20250716144551.3646755-11-daniel.zahka@gmail.com> (raw)
In-Reply-To: <20250716144551.3646755-1-daniel.zahka@gmail.com>
From: Jakub Kicinski <kuba@kernel.org>
There is a (somewhat theoretical in absence of multi-host support)
possibility that another entity will rotate the key and we won't
know. This may lead to accepting packets with matching SPI but
which used different crypto keys than we expected.
The PSP Architecture specification mentions that an implementation
should track master key generation when master keys are managed by the
NIC. Some PSP implementations may opt to include this key generation
state in decryption metadata each time a master key is used to decrypt
a packet. If that is the case, that key generation counter can also be
used when policy checking a decrypted skb against a psp_assoc. This is
an optional feature that is not explicitly part of the PSP spec, but
can provide additional security in the case where an attacker may have
the ability to force key rotations faster than rekeying can occur.
Since we're tracking "key generations" more explicitly now,
maintain different lists for associations from different generations.
This way we can catch stale associations (the user space should
listen to rotation notifications and change the keys).
Drivers can "opt out" of generation tracking by setting
the generation value to 0.
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Daniel Zahka <daniel.zahka@gmail.com>
---
Notes:
v1:
- https://lore.kernel.org/netdev/20240510030435.120935-9-kuba@kernel.org/
include/net/psp/types.h | 10 ++++++++++
net/psp/psp.h | 1 +
net/psp/psp_main.c | 6 +++++-
net/psp/psp_nl.c | 10 ++++++++++
net/psp/psp_sock.c | 16 ++++++++++++++++
5 files changed, 42 insertions(+), 1 deletion(-)
diff --git a/include/net/psp/types.h b/include/net/psp/types.h
index f93ad0e6c04f..ec218747ced0 100644
--- a/include/net/psp/types.h
+++ b/include/net/psp/types.h
@@ -50,8 +50,12 @@ struct psp_dev_config {
* @lock: instance lock, protects all fields
* @refcnt: reference count for the instance
* @id: instance id
+ * @generation: current generation of the device key
* @config: current device configuration
* @active_assocs: list of registered associations
+ * @prev_assocs: associations which use old (but still usable)
+ * device key
+ * @stale_assocs: associations which use a rotated out key
*
* @rcu: RCU head for freeing the structure
*/
@@ -67,13 +71,19 @@ struct psp_dev {
u32 id;
+ u8 generation;
+
struct psp_dev_config config;
struct list_head active_assocs;
+ struct list_head prev_assocs;
+ struct list_head stale_assocs;
struct rcu_head rcu;
};
+#define PSP_GEN_VALID_MASK 0x7f
+
/**
* struct psp_dev_caps - PSP device capabilities
*/
diff --git a/net/psp/psp.h b/net/psp/psp.h
index defd3e3fd5e7..0f34e1a23fdd 100644
--- a/net/psp/psp.h
+++ b/net/psp/psp.h
@@ -27,6 +27,7 @@ int psp_sock_assoc_set_rx(struct sock *sk, struct psp_assoc *pas,
int psp_sock_assoc_set_tx(struct sock *sk, struct psp_dev *psd,
u32 version, struct psp_key_parsed *key,
struct netlink_ext_ack *extack);
+void psp_assocs_key_rotated(struct psp_dev *psd);
static inline void psp_dev_get(struct psp_dev *psd)
{
diff --git a/net/psp/psp_main.c b/net/psp/psp_main.c
index 1359ee7f24f5..0fdfe6f65f87 100644
--- a/net/psp/psp_main.c
+++ b/net/psp/psp_main.c
@@ -72,6 +72,8 @@ psp_dev_create(struct net_device *netdev,
mutex_init(&psd->lock);
INIT_LIST_HEAD(&psd->active_assocs);
+ INIT_LIST_HEAD(&psd->prev_assocs);
+ INIT_LIST_HEAD(&psd->stale_assocs);
refcount_set(&psd->refcnt, 1);
mutex_lock(&psp_devs_lock);
@@ -120,7 +122,9 @@ void psp_dev_unregister(struct psp_dev *psd)
xa_store(&psp_devs, psd->id, NULL, GFP_KERNEL);
mutex_unlock(&psp_devs_lock);
- list_for_each_entry_safe(pas, next, &psd->active_assocs, assocs_list)
+ list_splice_init(&psd->active_assocs, &psd->prev_assocs);
+ list_splice_init(&psd->prev_assocs, &psd->stale_assocs);
+ list_for_each_entry_safe(pas, next, &psd->stale_assocs, assocs_list)
psp_dev_tx_key_del(psd, pas);
rcu_assign_pointer(psd->main_netdev->psp_dev, NULL);
diff --git a/net/psp/psp_nl.c b/net/psp/psp_nl.c
index c4b1c5f9a602..89d9b2a2e8e3 100644
--- a/net/psp/psp_nl.c
+++ b/net/psp/psp_nl.c
@@ -230,6 +230,7 @@ int psp_nl_key_rotate_doit(struct sk_buff *skb, struct genl_info *info)
struct psp_dev *psd = info->user_ptr[0];
struct genl_info ntf_info;
struct sk_buff *ntf, *rsp;
+ u8 prev_gen;
int err;
rsp = psp_nl_reply_new(info);
@@ -249,10 +250,19 @@ int psp_nl_key_rotate_doit(struct sk_buff *skb, struct genl_info *info)
goto err_free_ntf;
}
+ /* suggest the next gen number, driver can override */
+ prev_gen = psd->generation;
+ psd->generation = (prev_gen + 1) & PSP_GEN_VALID_MASK;
+
err = psd->ops->key_rotate(psd, info->extack);
if (err)
goto err_free_ntf;
+ WARN_ON_ONCE((psd->generation && psd->generation == prev_gen) ||
+ psd->generation & ~PSP_GEN_VALID_MASK);
+
+ psp_assocs_key_rotated(psd);
+
nlmsg_end(ntf, (struct nlmsghdr *)ntf->data);
genlmsg_multicast_netns(&psp_nl_family, dev_net(psd->main_netdev), ntf,
0, PSP_NLGRP_USE, GFP_KERNEL);
diff --git a/net/psp/psp_sock.c b/net/psp/psp_sock.c
index 7aee69ed10cd..3941f5c912df 100644
--- a/net/psp/psp_sock.c
+++ b/net/psp/psp_sock.c
@@ -60,6 +60,7 @@ struct psp_assoc *psp_assoc_create(struct psp_dev *psd)
pas->psd = psd;
pas->dev_id = psd->id;
+ pas->generation = psd->generation;
psp_dev_get(psd);
refcount_set(&pas->refcnt, 1);
@@ -243,6 +244,21 @@ int psp_sock_assoc_set_tx(struct sock *sk, struct psp_dev *psd,
return err;
}
+void psp_assocs_key_rotated(struct psp_dev *psd)
+{
+ struct psp_assoc *pas, *next;
+
+ /* Mark the stale associations as invalid, they will no longer
+ * be able to Rx any traffic.
+ */
+ list_for_each_entry_safe(pas, next, &psd->prev_assocs, assocs_list)
+ pas->generation |= ~PSP_GEN_VALID_MASK;
+ list_splice_init(&psd->prev_assocs, &psd->stale_assocs);
+ list_splice_init(&psd->active_assocs, &psd->prev_assocs);
+
+ /* TODO: we should inform the sockets that got shut down */
+}
+
void psp_twsk_init(struct inet_timewait_sock *tw, const struct sock *sk)
{
struct psp_assoc *pas = psp_sk_assoc(sk);
--
2.47.1
next prev parent reply other threads:[~2025-07-16 14:46 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-07-16 14:45 [PATCH net-next v4 00/19] add basic PSP encryption for TCP connections Daniel Zahka
2025-07-16 14:45 ` [PATCH net-next v4 01/19] psp: add documentation Daniel Zahka
2025-07-16 14:45 ` [PATCH net-next v4 02/19] psp: base PSP device support Daniel Zahka
2025-07-16 14:45 ` [PATCH net-next v4 03/19] net: modify core data structures for PSP datapath support Daniel Zahka
2025-07-16 14:45 ` [PATCH net-next v4 04/19] tcp: add datapath logic for PSP with inline key exchange Daniel Zahka
2025-07-16 17:25 ` Willem de Bruijn
2025-07-16 14:45 ` [PATCH net-next v4 05/19] psp: add op for rotation of device key Daniel Zahka
2025-07-16 14:45 ` [PATCH net-next v4 06/19] net: move sk_validate_xmit_skb() to net/core/dev.c Daniel Zahka
2025-07-16 14:45 ` [PATCH net-next v4 07/19] net: tcp: allow tcp_timewait_sock to validate skbs before handing to device Daniel Zahka
2025-07-16 14:45 ` [PATCH net-next v4 08/19] net: psp: add socket security association code Daniel Zahka
2025-07-16 17:37 ` Willem de Bruijn
2025-07-16 14:45 ` [PATCH net-next v4 09/19] net: psp: update the TCP MSS to reflect PSP packet overhead Daniel Zahka
2025-07-16 17:38 ` Willem de Bruijn
2025-07-16 14:45 ` Daniel Zahka [this message]
2025-07-16 17:44 ` [PATCH net-next v4 10/19] psp: track generations of device key Willem de Bruijn
2025-07-16 14:45 ` [PATCH net-next v4 11/19] net/mlx5e: Support PSP offload functionality Daniel Zahka
2025-07-16 14:45 ` [PATCH net-next v4 12/19] net/mlx5e: Implement PSP operations .assoc_add and .assoc_del Daniel Zahka
2025-07-16 14:45 ` [PATCH net-next v4 13/19] psp: provide encapsulation helper for drivers Daniel Zahka
2025-07-16 14:45 ` [PATCH net-next v4 14/19] net/mlx5e: Implement PSP Tx data path Daniel Zahka
2025-07-16 14:45 ` [PATCH net-next v4 15/19] net/mlx5e: Add PSP steering in local NIC RX Daniel Zahka
2025-07-16 14:45 ` [PATCH net-next v4 16/19] net/mlx5e: Configure PSP Rx flow steering rules Daniel Zahka
2025-07-16 14:45 ` [PATCH net-next v4 17/19] psp: provide decapsulation and receive helper for drivers Daniel Zahka
2025-07-16 17:45 ` Willem de Bruijn
2025-07-16 14:45 ` [PATCH net-next v4 18/19] net/mlx5e: Add Rx data path offload Daniel Zahka
2025-07-16 14:45 ` [PATCH net-next v4 19/19] net/mlx5e: Implement PSP key_rotate operation Daniel Zahka
2025-07-17 12:43 ` [PATCH net-next v4 00/19] add basic PSP encryption for TCP connections Simon Horman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250716144551.3646755-11-daniel.zahka@gmail.com \
--to=daniel.zahka@gmail.com \
--cc=aleksander.lobakin@intel.com \
--cc=andrew+netdev@lunn.ch \
--cc=borisp@nvidia.com \
--cc=corbet@lwn.net \
--cc=davem@davemloft.net \
--cc=donald.hunter@gmail.com \
--cc=dsahern@kernel.org \
--cc=dtatulea@nvidia.com \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=jacob.e.keller@intel.com \
--cc=jianbol@nvidia.com \
--cc=kuba@kernel.org \
--cc=kuniyu@google.com \
--cc=leon@kernel.org \
--cc=ncardwell@google.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=phaddad@nvidia.com \
--cc=raeds@nvidia.com \
--cc=rrameshbabu@nvidia.com \
--cc=saeedm@nvidia.com \
--cc=sdf@fomichev.me \
--cc=tariqt@nvidia.com \
--cc=toke@redhat.com \
--cc=willemb@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).