en Copyright 2015 Java http://172.16.0.5:8080/history/linux-6.15/net/tls/Makefile#c618db2a tls: rx: async: hold onto the input skbAsync crypto currently benefits from the fact that we decryptin place. When we allow input and output to be different skbswe will have to hang onto the input while we move to the nextrecord. Clone the inputs and keep them on a list.Signed-off-by: Jakub Kicinski <kuba@kernel.org>Signed-off-by: David S. Miller <davem@davemloft.net> List of files: /linux-6.15/net/tls/Makefile Fri, 15 Jul 2022 05:22:33 +0000 Jakub Kicinski <kuba@kernel.org> http://172.16.0.5:8080/history/linux-6.15/net/tls/Makefile#d26b698d net/tls: add skeleton of MIB statisticsAdd a skeleton structure for adding TLS statistics.Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>Signed-off-by: David S. Miller <davem@davemloft.net> List of files: /linux-6.15/net/tls/Makefile Fri, 04 Oct 2019 23:19:24 +0000 Jakub Kicinski <jakub.kicinski@netronome.com> http://172.16.0.5:8080/history/linux-6.15/net/tls/Makefile#8538d29c net/tls: add tracing for device/offload eventsAdd tracing of device-related interaction to aid performanceanalysis, especially around resync: tls:tls_device_offload_set tls:tls_device_rx_resync_send tls:tls_device_rx_resync_nh_schedule tls:tls_device_rx_resync_nh_delay tls:tls_device_tx_resync_req tls:tls_device_tx_resync_sendSigned-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>Signed-off-by: David S. Miller <davem@davemloft.net> List of files: /linux-6.15/net/tls/Makefile Fri, 04 Oct 2019 23:19:22 +0000 Jakub Kicinski <jakub.kicinski@netronome.com> http://172.16.0.5:8080/history/linux-6.15/net/tls/Makefile#53b4414a net/tls: allow compiling TLS TOE outTLS "record layer offload" requires TOE, and bypasses most ofthe normal networking stack. It is also significantly lessmaintained. Allow users to compile it out to avoid issues.Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>Reviewed-by: John Hurley <john.hurley@netronome.com>Reviewed-by: Simon Horman <simon.horman@netronome.com>Signed-off-by: David S. Miller <davem@davemloft.net> List of files: /linux-6.15/net/tls/Makefile Thu, 03 Oct 2019 18:18:59 +0000 Jakub Kicinski <jakub.kicinski@netronome.com> http://172.16.0.5:8080/history/linux-6.15/net/tls/Makefile#08700dab net/tls: move TOE-related code to a separate fileMove tls_hw_* functions to a new, separate source fileto avoid confusion with normal, non-TOE offload.Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>Reviewed-by: John Hurley <john.hurley@netronome.com>Reviewed-by: Simon Horman <simon.horman@netronome.com>Signed-off-by: David S. Miller <davem@davemloft.net> List of files: /linux-6.15/net/tls/Makefile Thu, 03 Oct 2019 18:18:57 +0000 Jakub Kicinski <jakub.kicinski@netronome.com> http://172.16.0.5:8080/history/linux-6.15/net/tls/Makefile#ec8f24b7 treewide: Add SPDX license identifier - Makefile/KconfigAdd SPDX license identifiers to all Make/Kconfig files which: - Have no license information of any formThese files fall under the project license, GPL v2 only. The resulting SPDXlicense identifier is: GPL-2.0-onlySigned-off-by: Thomas Gleixner <tglx@linutronix.de>Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> List of files: /linux-6.15/net/tls/Makefile Sun, 19 May 2019 12:07:45 +0000 Thomas Gleixner <tglx@linutronix.de> http://172.16.0.5:8080/history/linux-6.15/net/tls/Makefile#e8f69799 net/tls: Add generic NIC offload infrastructureThis patch adds a generic infrastructure to offload TLS crypto to anetwork device. It enables the kernel TLS socket to skip encryptionand authentication operations on the transmit side of the data path.Leaving those computationally expensive operations to the NIC.The NIC offload infrastructure builds TLS records and pushes them tothe TCP layer just like the SW KTLS implementation and using the sameAPI.TCP segmentation is mostly unaffected. Currently the only exception isthat we prevent mixed SKBs where only part of the payload requiresoffload. In the future we are likely to add a similar restrictionfollowing a change cipher spec record.The notable differences between SW KTLS and NIC offloaded TLSimplementations are as follows:1. The offloaded implementation builds "plaintext TLS record", thoserecords contain plaintext instead of ciphertext and place holder bytesinstead of authentication tags.2. The offloaded implementation maintains a mapping from TCP sequencenumber to TLS records. Thus given a TCP SKB sent from a NIC offloadedTLS socket, we can use the tls NIC offload infrastructure to obtainenough context to encrypt the payload of the SKB.A TLS record is released when the last byte of the record is ack'ed,this is done through the new icsk_clean_acked callback.The infrastructure should be extendable to support various NIC offloadimplementations. However it is currently written with theimplementation below in mind:The NIC assumes that packets from each offloaded stream are sent asplaintext and in-order. It keeps track of the TLS records in the TCPstream. When a packet marked for offload is transmitted, the NICencrypts the payload in-place and puts authentication tags in therelevant place holders.The responsibility for handling out-of-order packets (i.e. TCPretransmission, qdisc drops) falls on the netdev driver.The netdev driver keeps track of the expected TCP SN from the NIC'sperspective. If the next packet to transmit matches the expected TCPSN, the driver advances the expected TCP SN, and transmits the packetwith TLS offload indication.If the next packet to transmit does not match the expected TCP SN. Thedriver calls the TLS layer to obtain the TLS record that includes theTCP of the packet for transmission. Using this TLS record, the driverposts a work entry on the transmit queue to reconstruct the NIC TLSstate required for the offload of the out-of-order packet. It updatesthe expected TCP SN accordingly and transmits the now in-order packet.The same queue is used for packet transmission and TLS contextreconstruction to avoid the need for flushing the transmit queue beforeissuing the context reconstruction request.Signed-off-by: Ilya Lesokhin <ilyal@mellanox.com>Signed-off-by: Boris Pismenny <borisp@mellanox.com>Signed-off-by: Aviad Yehezkel <aviadye@mellanox.com>Signed-off-by: David S. Miller <davem@davemloft.net> List of files: /linux-6.15/net/tls/Makefile Mon, 30 Apr 2018 07:16:16 +0000 Ilya Lesokhin <ilyal@mellanox.com> http://172.16.0.5:8080/history/linux-6.15/net/tls/Makefile#3c4d7559 tls: kernel TLS supportSoftware implementation of transport layer security, implemented using ULPinfrastructure. tcp proto_ops are replaced with tls equivalents of sendmsg andsendpage.Only symmetric crypto is done in the kernel, keys are passed by setsockoptafter the handshake is complete. All control messages are supported via CMSGdata - the actual symmetric encryption is the same, just the message type needsto be passed separately.For user API, please see Documentation patch.Pieces that can be shared between hw and sw implementationare in tls_main.cSigned-off-by: Boris Pismenny <borisp@mellanox.com>Signed-off-by: Ilya Lesokhin <ilyal@mellanox.com>Signed-off-by: Aviad Yehezkel <aviadye@mellanox.com>Signed-off-by: Dave Watson <davejwatson@fb.com>Signed-off-by: David S. Miller <davem@davemloft.net> List of files: /linux-6.15/net/tls/Makefile Wed, 14 Jun 2017 18:37:39 +0000 Dave Watson <davejwatson@fb.com>