Eric Lee / smarc-fsl-linux-kernel

31 Jul, 2019

1 commit

09 Jul, 2019

1 commit

  • 5c4b4608f   net/tls: fix socket wmem accounting on fallback with netem ... Browse Code »

    netem runs skb_orphan_partial() which "disconnects" the skb
    from normal TCP write memory accounting. We should not adjust
    sk->sk_wmem_alloc on the fallback path for such skbs.

    Fixes: e8f69799810c ("net/tls: Add generic NIC offload infrastructure")
    Signed-off-by: Jakub Kicinski
    Reviewed-by: Dirk van der Merwe
    Signed-off-by: David S. Miller

    Jakub Kicinski
     

07 Jun, 2019

1 commit

  • b9727d7f9   net/tls: export TLS per skb encryption ... Browse Code »

    While offloading TLS connections, drivers need to handle the case where
    out of order packets need to be transmitted.

    Other drivers obtain the entire TLS record for the specific skb to
    provide as context to hardware for encryption. However, other designs
    may also want to keep the hardware state intact and perform the
    out of order encryption entirely on the host.

    To achieve this, export the already existing software encryption
    fallback path so drivers could access this.

    Signed-off-by: Dirk van der Merwe
    Reviewed-by: Jakub Kicinski
    Signed-off-by: David S. Miller

    Dirk van der Merwe
     

05 Jun, 2019

1 commit

  • 87b11e063   net/tls: remove false positive warning ... Browse Code »

    It's possible that TCP stack will decide to retransmit a packet
    right when that packet's data gets acked, especially in presence
    of packet reordering. This means that packets may be in flight,
    even though tls_device code has already freed their record state.
    Make fill_sg_in() and in turn tls_sw_fallback() not generate a
    warning in that case, and quietly proceed to drop such frames.

    Make the exit path from tls_sw_fallback() drop monitor friendly,
    for users to be able to troubleshoot dropped retransmissions.

    Signed-off-by: Jakub Kicinski
    Reviewed-by: Dirk van der Merwe
    Signed-off-by: David S. Miller

    Jakub Kicinski
     

01 May, 2019

1 commit

19 Apr, 2019

1 commit

  • 9188d5ca4   net/tls: fix refcount adjustment in fallback ... Browse Code »

    Unlike atomic_add(), refcount_add() does not deal well
    with a negative argument. TLS fallback code reallocates
    the skb and is very likely to shrink the truesize, leading to:

    [ 189.513254] WARNING: CPU: 5 PID: 0 at lib/refcount.c:81 refcount_add_not_zero_checked+0x15c/0x180
    Call Trace:
    refcount_add_checked+0x6/0x40
    tls_enc_skb+0xb93/0x13e0 [tls]

    Once wmem_allocated count saturates the application can no longer
    send data on the socket. This is similar to Eric's fixes for GSO,
    TCP:
    commit 7ec318feeed1 ("tcp: gso: avoid refcount_t warning from tcp_gso_segment()")
    and UDP:
    commit 575b65bc5bff ("udp: avoid refcount_t saturation in __udp_gso_segment()").

    Unlike the GSO case, for TLS fallback it's likely that the skb has
    shrunk, so the "likely" annotation is the other way around (likely
    branch being "sub").

    Fixes: e8f69799810c ("net/tls: Add generic NIC offload infrastructure")
    Signed-off-by: Jakub Kicinski
    Reviewed-by: John Hurley
    Signed-off-by: David S. Miller

    Jakub Kicinski
     

02 Feb, 2019

1 commit

  • 130b392c6   net: tls: Add tls 1.3 support ... Browse Code »

    TLS 1.3 has minor changes from TLS 1.2 at the record layer.

    * Header now hardcodes the same version and application content type in
    the header.
    * The real content type is appended after the data, before encryption (or
    after decryption).
    * The IV is xored with the sequence number, instead of concatinating four
    bytes of IV with the explicit IV.
    * Zero-padding: No exlicit length is given, we search backwards from the
    end of the decrypted data for the first non-zero byte, which is the
    content type. Currently recv supports reading zero-padding, but there
    is no way for send to add zero padding.

    Signed-off-by: Dave Watson
    Signed-off-by: David S. Miller

    Dave Watson
     

14 Sep, 2018

1 commit

  • 86029d10a   tls: zero the crypto information from tls_context before freeing ... Browse Code »

    This contains key material in crypto_send_aes_gcm_128 and
    crypto_recv_aes_gcm_128.

    Introduce union tls_crypto_context, and replace the two identical
    unions directly embedded in struct tls_context with it. We can then
    use this union to clean up the memory in the new tls_ctx_free()
    function.

    Fixes: 3c4d7559159b ("tls: kernel TLS support")
    Signed-off-by: Sabrina Dubroca
    Signed-off-by: David S. Miller

    Sabrina Dubroca
     

16 Aug, 2018

1 commit

  • dafa5f657   Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 ... Browse Code »

    Pull crypto updates from Herbert Xu:
    "API:
    - Fix dcache flushing crash in skcipher.
    - Add hash finup self-tests.
    - Reschedule during speed tests.

    Algorithms:
    - Remove insecure vmac and replace it with vmac64.
    - Add public key verification for DH/ECDH.

    Drivers:
    - Decrease priority of sha-mb on x86.
    - Improve NEON latency/throughput on ARM64.
    - Add md5/sha384/sha512/des/3des to inside-secure.
    - Support eip197d in inside-secure.
    - Only register algorithms supported by the host in virtio.
    - Add cts and remove incompatible cts1 from ccree.
    - Add hisilicon SEC security accelerator driver.
    - Replace msm hwrng driver with qcom pseudo rng driver.

    Misc:
    - Centralize CRC polynomials"

    * 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6: (121 commits)
    crypto: arm64/ghash-ce - implement 4-way aggregation
    crypto: arm64/ghash-ce - replace NEON yield check with block limit
    crypto: hisilicon - sec_send_request() can be static
    lib/mpi: remove redundant variable esign
    crypto: arm64/aes-ce-gcm - don't reload key schedule if avoidable
    crypto: arm64/aes-ce-gcm - implement 2-way aggregation
    crypto: arm64/aes-ce-gcm - operate on two input blocks at a time
    crypto: dh - make crypto_dh_encode_key() make robust
    crypto: dh - fix calculating encoded key size
    crypto: ccp - Check for NULL PSP pointer at module unload
    crypto: arm/chacha20 - always use vrev for 16-bit rotates
    crypto: ccree - allow bigger than sector XTS op
    crypto: ccree - zero all of request ctx before use
    crypto: ccree - remove cipher ivgen left overs
    crypto: ccree - drop useless type flag during reg
    crypto: ablkcipher - fix crash flushing dcache in error path
    crypto: blkcipher - fix crash flushing dcache in error path
    crypto: skcipher - fix crash flushing dcache in error path
    crypto: skcipher - remove unnecessary setting of walk->nbytes
    crypto: scatterwalk - remove scatterwalk_samebuf()
    ...

    Linus Torvalds
     

03 Aug, 2018

1 commit

16 Jul, 2018

2 commits

  • 4799ac81e   tls: Add rx inline crypto offload ... Browse Code »

    This patch completes the generic infrastructure to offload TLS crypto to a
    network device. It enables the kernel to skip decryption and
    authentication of some skbs marked as decrypted by the NIC. In the fast
    path, all packets received are decrypted by the NIC and the performance
    is comparable to plain TCP.

    This infrastructure doesn't require a TCP offload engine. Instead, the
    NIC only decrypts packets that contain the expected TCP sequence number.
    Out-Of-Order TCP packets are provided unmodified. As a result, at the
    worst case a received TLS record consists of both plaintext and ciphertext
    packets. These partially decrypted records must be reencrypted,
    only to be decrypted.

    The notable differences between SW KTLS Rx and this offload are as
    follows:
    1. Partial decryption - Software must handle the case of a TLS record
    that was only partially decrypted by HW. This can happen due to packet
    reordering.
    2. Resynchronization - tls_read_size calls the device driver to
    resynchronize HW after HW lost track of TLS record framing in
    the TCP stream.

    Signed-off-by: Boris Pismenny
    Signed-off-by: David S. Miller

    Boris Pismenny
     
  • d80a1b9d1   tls: Refactor tls_offload variable names ... Browse Code »

    For symmetry, we rename tls_offload_context to
    tls_offload_context_tx before we add tls_offload_context_rx.

    Signed-off-by: Boris Pismenny
    Signed-off-by: David S. Miller

    Boris Pismenny
     

01 May, 2018

1 commit

  • e8f697998   net/tls: Add generic NIC offload infrastructure ... Browse Code »

    This patch adds a generic infrastructure to offload TLS crypto to a
    network device. It enables the kernel TLS socket to skip encryption
    and authentication operations on the transmit side of the data path.
    Leaving those computationally expensive operations to the NIC.

    The NIC offload infrastructure builds TLS records and pushes them to
    the TCP layer just like the SW KTLS implementation and using the same
    API.
    TCP segmentation is mostly unaffected. Currently the only exception is
    that we prevent mixed SKBs where only part of the payload requires
    offload. In the future we are likely to add a similar restriction
    following a change cipher spec record.

    The notable differences between SW KTLS and NIC offloaded TLS
    implementations are as follows:
    1. The offloaded implementation builds "plaintext TLS record", those
    records contain plaintext instead of ciphertext and place holder bytes
    instead of authentication tags.
    2. The offloaded implementation maintains a mapping from TCP sequence
    number to TLS records. Thus given a TCP SKB sent from a NIC offloaded
    TLS socket, we can use the tls NIC offload infrastructure to obtain
    enough context to encrypt the payload of the SKB.
    A TLS record is released when the last byte of the record is ack'ed,
    this is done through the new icsk_clean_acked callback.

    The infrastructure should be extendable to support various NIC offload
    implementations. However it is currently written with the
    implementation below in mind:
    The NIC assumes that packets from each offloaded stream are sent as
    plaintext and in-order. It keeps track of the TLS records in the TCP
    stream. When a packet marked for offload is transmitted, the NIC
    encrypts the payload in-place and puts authentication tags in the
    relevant place holders.

    The responsibility for handling out-of-order packets (i.e. TCP
    retransmission, qdisc drops) falls on the netdev driver.

    The netdev driver keeps track of the expected TCP SN from the NIC's
    perspective. If the next packet to transmit matches the expected TCP
    SN, the driver advances the expected TCP SN, and transmits the packet
    with TLS offload indication.

    If the next packet to transmit does not match the expected TCP SN. The
    driver calls the TLS layer to obtain the TLS record that includes the
    TCP of the packet for transmission. Using this TLS record, the driver
    posts a work entry on the transmit queue to reconstruct the NIC TLS
    state required for the offload of the out-of-order packet. It updates
    the expected TCP SN accordingly and transmits the now in-order packet.
    The same queue is used for packet transmission and TLS context
    reconstruction to avoid the need for flushing the transmit queue before
    issuing the context reconstruction request.

    Signed-off-by: Ilya Lesokhin
    Signed-off-by: Boris Pismenny
    Signed-off-by: Aviad Yehezkel
    Signed-off-by: David S. Miller

    Ilya Lesokhin