From: Simon Horman <horms@kernel.org>
To: rjethwani@purestorage.com
Cc: Simon Horman <horms@kernel.org>,
edumazet@google.com, kuba@kernel.org, mbloch@nvidia.com,
john.fastabend@gmail.com, netdev@vger.kernel.org,
davem@davemloft.net, sd@queasysnail.net, pabeni@redhat.com,
saeedm@nvidia.com, borisp@nvidia.com, tariqt@nvidia.com,
leon@kernel.org
Subject: Re: [PATCH v8 5/6] tls: add hardware offload key update support
Date: Fri, 20 Mar 2026 19:42:24 +0000 [thread overview]
Message-ID: <20260320194224.175550-1-horms@kernel.org> (raw)
In-Reply-To: <20260319213323.235559-6-rjethwani@purestorage.com>
This is an AI-generated review of your patch. The human sending this
email has considered the AI review valid, or at least plausible.
For local reproduction steps see https://netdev-ai.bots.linux.dev/ai-local.html
---
tls: add hardware offload key update support
Add TLS KeyUpdate (rekey) support for hardware offload connections.
When hardware rekey fails, the connection gracefully degrades to
software encryption/decryption while maintaining TLS_HW configuration.
Tested on Mellanox ConnectX-6 Dx (Crypto Enabled) with multiple
TLS 1.3 key update cycles.
> tls: add hardware offload key update support
>
> Add TLS KeyUpdate (rekey) support for hardware offload connections.
>
> When hardware rekey fails, the connection gracefully degrades to
> software encryption/decryption while maintaining TLS_HW configuration.
This commit message claims the connection "gracefully degrades to
software encryption/decryption" when hardware rekey fails. However,
the implementation appears inconsistent with this description.
Looking at the actual code behavior in net/tls/tls_main.c:
> @@ -711,64 +713,68 @@ static int do_tls_setsockopt_conf(struct sock *sk, sockptr_t optval,
> }
>
> if (tx) {
[ ... ]
> + } else if (update && ctx->tx_conf == TLS_HW) {
> + /* HW rekey failed - return the actual error.
> + * Cannot fall back to SW for an existing HW connection.
> + */
> goto err_crypto_info;
When hardware rekey fails on an existing TLS_HW TX connection, the code
returns an error rather than degrading to software mode. The same pattern
appears for RX:
[ ... ]
> + } else if (update && ctx->rx_conf == TLS_HW) {
> + /* HW rekey failed - return the actual error.
> + * Cannot fall back to SW for an existing HW connection.
> + */
> goto err_crypto_info;
The comments explicitly state "Cannot fall back to SW for an existing HW
connection." This contradicts the commit message's claim of graceful
degradation.
Could the commit message be updated to accurately describe the error
handling behavior? This inconsistency was noted by Sabrina Dubroca during
review of v7, and remains in v8:
https://lore.kernel.org/netdev/aZxm8hSrVMkEIc2O@krikkit/
Additionally, the commit message style may be worth reviewing. Sabrina
suggested looking through git log for net/ to match the typical commit
message format used in the networking subsystem.
next prev parent reply other threads:[~2026-03-20 19:42 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-19 21:33 [PATCH net-next v8 0/6] tls: Add TLS 1.3 hardware offload support Rishikesh Jethwani
2026-03-19 21:33 ` [PATCH v8 1/6] net: tls: reject TLS 1.3 offload in chcr_ktls and nfp drivers Rishikesh Jethwani
2026-03-19 21:33 ` [PATCH v8 2/6] net/mlx5e: add TLS 1.3 hardware offload support Rishikesh Jethwani
2026-03-19 21:33 ` [PATCH v8 3/6] tls: " Rishikesh Jethwani
2026-03-20 19:42 ` Simon Horman
2026-03-20 21:32 ` Rishikesh Jethwani
2026-03-19 21:33 ` [PATCH v8 4/6] tls: split tls_set_sw_offload into init and finalize stages Rishikesh Jethwani
2026-03-19 21:33 ` [PATCH v8 5/6] tls: add hardware offload key update support Rishikesh Jethwani
2026-03-20 19:42 ` Simon Horman [this message]
2026-03-20 21:33 ` Rishikesh Jethwani
2026-03-19 21:33 ` [PATCH v8 6/6] selftests: net: add TLS hardware offload test Rishikesh Jethwani
2026-03-20 19:40 ` Simon Horman
2026-03-20 21:27 ` Rishikesh Jethwani
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260320194224.175550-1-horms@kernel.org \
--to=horms@kernel.org \
--cc=borisp@nvidia.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=john.fastabend@gmail.com \
--cc=kuba@kernel.org \
--cc=leon@kernel.org \
--cc=mbloch@nvidia.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=rjethwani@purestorage.com \
--cc=saeedm@nvidia.com \
--cc=sd@queasysnail.net \
--cc=tariqt@nvidia.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox