From: Vadim Fedorenko <vadim.fedorenko@linux.dev>
To: Jakub Kicinski <kuba@kernel.org>, Vadim Fedorenko <vadfed@meta.com>
Cc: Martin KaFai Lau <martin.lau@linux.dev>,
Andrii Nakryiko <andrii@kernel.org>,
Alexei Starovoitov <ast@kernel.org>,
Mykola Lysenko <mykolal@fb.com>,
bpf@vger.kernel.org, netdev@vger.kernel.org
Subject: Re: [PATCH bpf-next 1/2] bpf: add skcipher API support to TC/XDP programs
Date: Fri, 27 Oct 2023 00:29:29 +0100 [thread overview]
Message-ID: <a10cdab4-ab67-1cd2-0827-52c3755a464f@linux.dev> (raw)
In-Reply-To: <20231026144759.5ce20f4c@kernel.org>
On 26.10.2023 22:47, Jakub Kicinski wrote:
> On Wed, 25 Oct 2023 18:59:37 -0700 Vadim Fedorenko wrote:
>> Add crypto API support to BPF to be able to decrypt or encrypt packets
>> in TC/XDP BPF programs. Only symmetric key ciphers are supported for
>> now. Special care should be taken for initialization part of crypto algo
>> because crypto_alloc_sync_skcipher() doesn't work with preemtion
>> disabled, it can be run only in sleepable BPF program. Also async crypto
>> is not supported because of the very same issue - TC/XDP BPF programs
>> are not sleepable.
>
> Do CC crypto@ for the next version, please.
Sure
>> +/**
>> + * struct bpf_crypto_skcipher_ctx - refcounted BPF sync skcipher context structure
>> + * @tfm: The pointer to crypto_sync_skcipher struct.
>> + * @rcu: The RCU head used to free the crypto context with RCU safety.
>> + * @usage: Object reference counter. When the refcount goes to 0, the
>> + * memory is released back to the BPF allocator, which provides
>> + * RCU safety.
>> + */
>> +
>
> spurious newline?
yeah, will fix it
>> +struct bpf_crypto_skcipher_ctx {
>
>> +/**
>> + * bpf_crypto_skcipher_ctx_acquire() - Acquire a reference to a BPF crypto context.
>
> The contexts are refcounted and can be placed in maps?
Yes, the idea was to avoid allocation of algo object and setting the key on hot
path. And for now there is no way to allocate crypto cipher object in TC/XDP
hook because it uses GFP_KERNEL and delayed module load.
> Does anything prevent them from being used simultaneously
> by difference CPUs?
The algorithm configuration and the key can be used by different CPUs
simultaneously
>> + case BPF_DYNPTR_TYPE_SKB:
>> + return skb_pointer_if_linear(ptr->data, ptr->offset, __bpf_dynptr_size(ptr));
>
> dynptr takes care of checking if skb can be written to?
dynptr is used to take care of size checking, but this particular part is used
to provide plain buffer from skb. I'm really sure if we can (or should) encrypt
or decrypt in-place, so API now assumes that src and dst are different buffers.
next prev parent reply other threads:[~2023-10-26 23:29 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-10-26 1:59 [PATCH bpf-next 1/2] bpf: add skcipher API support to TC/XDP programs Vadim Fedorenko
2023-10-26 1:59 ` [PATCH bpf-next 2/2] selftests: bpf: crypto skcipher algo selftests Vadim Fedorenko
2023-10-26 14:02 ` Daniel Borkmann
2023-10-26 18:20 ` Vadim Fedorenko
2023-10-26 21:47 ` [PATCH bpf-next 1/2] bpf: add skcipher API support to TC/XDP programs Jakub Kicinski
2023-10-26 23:29 ` Vadim Fedorenko [this message]
2023-10-27 1:35 ` Jakub Kicinski
2023-10-27 12:07 ` Vadim Fedorenko
2023-10-27 17:02 ` Vadim Fedorenko
2023-10-26 22:53 ` Alexei Starovoitov
2023-10-26 23:38 ` Vadim Fedorenko
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=a10cdab4-ab67-1cd2-0827-52c3755a464f@linux.dev \
--to=vadim.fedorenko@linux.dev \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=kuba@kernel.org \
--cc=martin.lau@linux.dev \
--cc=mykolal@fb.com \
--cc=netdev@vger.kernel.org \
--cc=vadfed@meta.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).