• Boris Pismenny's avatar
    tls: Add rx inline crypto offload · 4799ac81
    Boris Pismenny authored
    This patch completes the generic infrastructure to offload TLS crypto to a
    network device. It enables the kernel to skip decryption and
    authentication of some skbs marked as decrypted by the NIC. In the fast
    path, all packets received are decrypted by the NIC and the performance
    is comparable to plain TCP.
    
    This infrastructure doesn't require a TCP offload engine. Instead, the
    NIC only decrypts packets that contain the expected TCP sequence number.
    Out-Of-Order TCP packets are provided unmodified. As a result, at the
    worst case a received TLS record consists of both plaintext and ciphertext
    packets. These partially decrypted records must be reencrypted,
    only to be decrypted.
    
    The notable differences between SW KTLS Rx and this offload are as
    follows:
    1. Partial decryption - Software must handle the case of a TLS record
    that was only partially decrypted by HW. This can happen due to packet
    reordering.
    2. Resynchronization - tls_read_size calls the device driver to
    resynchronize HW after HW lost track of TLS record framing in
    the TCP stream.
    Signed-off-by: default avatarBoris Pismenny <borisp@mellanox.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    4799ac81
tls_main.c 16.6 KB