[PATCH xfrm v1] xfrm: fix error flow in case of add state fails

2018-01-18 Thread Aviad Yehezkel 
If add state fails in case of device offload, netdev refcount
will be negative since gc task is attempting to dev_free this state.
This is fixed by putting NULL in state dev field.

Signed-off-by: Aviad Yehezkel <avia...@mellanox.com>
Signed-off-by: Boris Pismeny <bor...@mellanox.com>
---
 net/xfrm/xfrm_device.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/xfrm/xfrm_device.c b/net/xfrm/xfrm_device.c
index fb3f920..cd2b7d3 100644
--- a/net/xfrm/xfrm_device.c
+++ b/net/xfrm/xfrm_device.c
@@ -109,6 +109,7 @@ int xfrm_dev_state_add(struct net *net, struct xfrm_state 
*x,
 
err = dev->xfrmdev_ops->xdo_dev_state_add(x);
if (err) {
+   xso->dev = NULL;
dev_put(dev);
return err;
}
-- 
2.7.4

Re: [PATCH net-next v2] xfrm: Add ESN support for IPSec HW offload

2018-01-11 Thread Aviad Yehezkel 


On 1/11/2018 10:28 AM, Yossi Kuperman wrote:

From: Shannon Nelson [mailto:shannon.nel...@oracle.com]
Sent: Thursday, January 11, 2018 5:21 AM

On 1/10/2018 3:09 PM, Yossi Kuperman wrote:

On 10 Jan 2018, at 19:36, Shannon Nelson  wrote:


On 1/10/2018 2:34 AM, yoss...@mellanox.com wrote:
From: Yossef Efraim 
This patch adds ESN support to IPsec device offload.
Adding new xfrm device operation to synchronize device ESN.
Signed-off-by: Yossef Efraim 
---
Changes from v1:
   - Added documentation
---
   Documentation/networking/xfrm_device.txt |  3 +++
   include/linux/netdevice.h|  1 +
   include/net/xfrm.h   | 12 
   net/xfrm/xfrm_device.c   |  4 ++--
   net/xfrm/xfrm_replay.c   |  2 ++
   5 files changed, 20 insertions(+), 2 deletions(-)

[...]


diff --git a/net/xfrm/xfrm_device.c b/net/xfrm/xfrm_device.c
index 7598250..704a055 100644
--- a/net/xfrm/xfrm_device.c
+++ b/net/xfrm/xfrm_device.c
@@ -147,8 +147,8 @@ int xfrm_dev_state_add(struct net *net, struct xfrm_state 
*x,
   if (!x->type_offload)
   return -EINVAL;
   -/* We don't yet support UDP encapsulation, TFC padding and ESN. */
-if (x->encap || x->tfcpad || (x->props.flags & XFRM_STATE_ESN))
+/* We don't yet support UDP encapsulation and TFC padding. */
+if (x->encap || x->tfcpad)

As I mentioned before, this will cause issues when working with hardware that 
has no ESN support, such as Intel's x540: the stack will

expect the driver to do ESN, and nothing actually happens but a rollover of the 
numbers.  Sure, the driver could look for the ESN attribute
and fail the add, but that's a mode where we have to update every driver to 
fend off problems every time we add a new feature.  Much
better is to only update drivers that actively support the new feature.

You are right.

I’m not sure why this check is here in the first place. IMO it should take 
place in xdo_dev_state_add—a driver-specific callback.


If you say I'm right, then why do you say it should take place in the
driver callback?  I just wrote that it should *not*.


Sorry, I wasn't clear; you are right with respect that this change will break 
Intel's x540 driver.

However, I do think that this is the purpose of xdo_dev_state_add(). Again, As 
far as I can understand, and please correct me if I'm wrong, this shouldn’t be 
here in the first place.

Please have a look at mlx5e_xfrm_validate_state(). Currently, it return an 
error if the user requests ESN, regardless of the underlying device's 
capabilities. Subsequent patch to mlx5 driver, will allow such a request if the 
device does support it; maintaining backward compatibility.

Here is a code snippet:

-   if (x->props.flags & XFRM_STATE_ESN) {
+   if (x->props.flags & XFRM_STATE_ESN &&
+   !(mlx5_accel_ipsec_device_caps(priv->mdev) & MLX5_ACCEL_IPSEC_ESN)) 
{
 netdev_info(netdev, "Cannot offload ESN xfrm states\n");
 return -EINVAL;
 }


This code seems to be assuming that all drivers/NICs with the offload
will be able to do ESN, and this is not the case.  If this code is put
into place, suddenly the ixgbe driver's offload will have a failure
case: the driver doesn't support ESN, and doesn't know to NAK the
state_add if the ESN bit is on.  This is a generic capabilities issue
for which we already have a solution "pattern".

I guess you are right but ixgbe driver is already checking many other 
caps during add_sa callback (below code from v3 patches for ixgbe ipsec):


+   if (xs->id.proto != IPPROTO_ESP && xs->id.proto != IPPROTO_AH) {
+   netdev_err(dev, "Unsupported protocol 0x%04x for ipsec 
offload\n",
+  xs->id.proto);
+   return -EINVAL;
+   }
+
+   if (xs->xso.flags & XFRM_OFFLOAD_INBOUND) {
+   struct rx_sa rsa;
+
+   if (xs->calg) {
+   netdev_err(dev, "Compression offload not supported\n");
+   return -EINVAL;
+   }


What is the difference for checking xs->calg exists in state to ESN?

I think in long term we can refactor to cap mask declaration by the 
driver and call add_sa only if mask exists but

this can be a totally different patch.



We weren't assuming that, please see above.


  > What do you suggest?
  >

There should be a capabilities/feature flag for the driver to set and
the XFRM code shouldn't try the state_add with ESN if the driver hasn't
set an ESN bit in its capabilities.  Other capabilities that might make
sense here are IPv6, TSO, and CSUM; there may be others.


Look at how feature bits are added to netdev->features to signify what the 
driver can do.  I think that's a much better approach.


It looks like an overkill?

Alternatively, just solve this by failing to add the SA that has ESN set
if the driver hasn't defined your new

[RFC TLS Offload Support 07/15] mlx/mlx5_core: Allow sending multiple packets

2017-03-28 Thread Aviad Yehezkel 
From: Ilya Lesokhin <il...@mellanox.com>

Modify mlx5e_xmit to xmit multiple packet chained
using skb->next

Signed-off-by: Ilya Lesokhin <il...@mellanox.com>
Signed-off-by: Aviad Yehezkel <avia...@mellanox.com>
---
 drivers/net/ethernet/mellanox/mlx5/core/en_tx.c | 11 +--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_tx.c 
b/drivers/net/ethernet/mellanox/mlx5/core/en_tx.c
index e6ce509..f2d0cc0 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_tx.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_tx.c
@@ -35,7 +35,7 @@
 #include "en.h"
 
 #define MLX5E_SQ_NOPS_ROOM  MLX5_SEND_WQE_MAX_WQEBBS
-#define MLX5E_SQ_STOP_ROOM (MLX5_SEND_WQE_MAX_WQEBBS +\
+#define MLX5E_SQ_STOP_ROOM (2 * MLX5_SEND_WQE_MAX_WQEBBS +\
MLX5E_SQ_NOPS_ROOM)
 
 void mlx5e_send_nop(struct mlx5e_sq *sq, bool notify_hw)
@@ -405,6 +405,8 @@ netdev_tx_t mlx5e_xmit(struct sk_buff *skb, struct 
net_device *dev)
struct mlx5e_sq *sq = NULL;
struct mlx5_accel_ops *accel_ops;
struct mlx5_swp_info swp_info = {0};
+   struct sk_buff *next;
+   int rc;
 
rcu_read_lock();
accel_ops = mlx5_accel_get(priv->mdev);
@@ -417,7 +419,12 @@ netdev_tx_t mlx5e_xmit(struct sk_buff *skb, struct 
net_device *dev)
 
sq = priv->txq_to_sq_map[skb_get_queue_mapping(skb)];
 
-   return mlx5e_sq_xmit(sq, skb, _info);
+   do {
+   next = skb->next;
+   rc = mlx5e_sq_xmit(sq, skb, _info);
+   skb = next;
+   } while (next);
+   return rc;
 }
 
 bool mlx5e_poll_tx_cq(struct mlx5e_cq *cq, int napi_budget)
-- 
2.7.4

[RFC TLS Offload Support 01/15] tcp: Add clean acked data hook

2017-03-28 Thread Aviad Yehezkel 
From: Ilya Lesokhin <il...@mellanox.com>

Called when a TCP segment is acknowledged.
Could be used by application protocols who hold additional
metadata associated with the stream data
This is required for TLS offloads to release metadata
for acknowledged TLS records.

Signed-off-by: Boris Pismenny <bor...@mellanox.com>
Signed-off-by: Ilya Lesokhin <il...@mellanox.com>
Signed-off-by: Aviad Yehezkel <avia...@mellanox.com>
---
 include/net/inet_connection_sock.h | 2 ++
 net/ipv4/tcp_input.c   | 3 +++
 2 files changed, 5 insertions(+)

diff --git a/include/net/inet_connection_sock.h 
b/include/net/inet_connection_sock.h
index 146054c..0b0aceb 100644
--- a/include/net/inet_connection_sock.h
+++ b/include/net/inet_connection_sock.h
@@ -77,6 +77,7 @@ struct inet_connection_sock_af_ops {
  * @icsk_pmtu_cookie  Last pmtu seen by socket
  * @icsk_ca_ops   Pluggable congestion control hook
  * @icsk_af_ops   Operations which are AF_INET{4,6} specific
+ * @icsk_clean_acked  Clean acked data hook
  * @icsk_ca_state:Congestion control state
  * @icsk_retransmits: Number of unrecovered [RTO] timeouts
  * @icsk_pending: Scheduled timer event
@@ -99,6 +100,7 @@ struct inet_connection_sock {
__u32 icsk_pmtu_cookie;
const struct tcp_congestion_ops *icsk_ca_ops;
const struct inet_connection_sock_af_ops *icsk_af_ops;
+   void  (*icsk_clean_acked)(struct sock *sk);
unsigned int  (*icsk_sync_mss)(struct sock *sk, u32 pmtu);
__u8  icsk_ca_state:6,
  icsk_ca_setsockopt:1,
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index fe668c1..c158bec 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -3667,6 +3667,9 @@ static int tcp_ack(struct sock *sk, const struct sk_buff 
*skb, int flag)
if (!prior_packets)
goto no_queue;
 
+   if (icsk->icsk_clean_acked)
+   icsk->icsk_clean_acked(sk);
+
/* See if we can take anything off of the retransmit queue. */
flag |= tcp_clean_rtx_queue(sk, prior_fackets, prior_snd_una, ,
_state, );
-- 
2.7.4

[RFC TLS Offload Support 09/15] mlx/tls: Sysfs configuration interface Configure the driver/hardware interface via sysfs.

2017-03-28 Thread Aviad Yehezkel 
From: Ilya Lesokhin <il...@mellanox.com>

Signed-off-by: Guy Shapiro <gu...@mellanox.com>
Signed-off-by: Ilya Lesokhin <il...@mellanox.com>
Signed-off-by: Matan Barak <mat...@mellanox.com>
Signed-off-by: Aviad Yehezkel <avia...@mellanox.com>
---
 .../ethernet/mellanox/accelerator/tls/tls_sysfs.c  | 194 +
 .../ethernet/mellanox/accelerator/tls/tls_sysfs.h  |  45 +
 2 files changed, 239 insertions(+)
 create mode 100644 drivers/net/ethernet/mellanox/accelerator/tls/tls_sysfs.c
 create mode 100644 drivers/net/ethernet/mellanox/accelerator/tls/tls_sysfs.h

diff --git a/drivers/net/ethernet/mellanox/accelerator/tls/tls_sysfs.c 
b/drivers/net/ethernet/mellanox/accelerator/tls/tls_sysfs.c
new file mode 100644
index 000..2860fc3
--- /dev/null
+++ b/drivers/net/ethernet/mellanox/accelerator/tls/tls_sysfs.c
@@ -0,0 +1,194 @@
+/*
+ * Copyright (c) 2015-2017 Mellanox Technologies. All rights reserved.
+ *
+ * This software is available to you under a choice of one of two
+ * licenses.  You may choose to be licensed under the terms of the GNU
+ * General Public License (GPL) Version 2, available from the file
+ * COPYING in the main directory of this source tree, or the
+ * OpenIB.org BSD license below:
+ *
+ * Redistribution and use in source and binary forms, with or
+ * without modification, are permitted provided that the following
+ * conditions are met:
+ *
+ *  - Redistributions of source code must retain the above
+ *copyright notice, this list of conditions and the following
+ *disclaimer.
+ *
+ *  - Redistributions in binary form must reproduce the above
+ *copyright notice, this list of conditions and the following
+ *disclaimer in the documentation and/or other materials
+ *provided with the distribution.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+ * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+ * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
+ * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
+ * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+ * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ *
+ */
+
+#include 
+
+#include "tls_sysfs.h"
+#include "tls_cmds.h"
+
+#ifdef MLX_TLS_SADB_RDMA
+struct mlx_tls_attribute {
+   struct attribute attr;
+   ssize_t (*show)(struct mlx_tls_dev *dev, char *buf);
+   ssize_t (*store)(struct mlx_tls_dev *dev, const char *buf,
+size_t count);
+};
+
+#define MLX_TLS_ATTR(_name, _mode, _show, _store) \
+   struct mlx_tls_attribute mlx_tls_attr_##_name = { \
+   .attr = {.name = __stringify(_name), .mode = _mode}, \
+   .show = _show, \
+   .store = _store, \
+   }
+#define to_mlx_tls_dev(obj)\
+   container_of(kobj, struct mlx_tls_dev, kobj)
+#define to_mlx_tls_attr(_attr) \
+   container_of(attr, struct mlx_tls_attribute, attr)
+
+static ssize_t mlx_tls_attr_show(struct kobject *kobj, struct attribute *attr,
+char *buf)
+{
+   struct mlx_tls_dev *dev = to_mlx_tls_dev(kobj);
+   struct mlx_tls_attribute *mlx_tls_attr = to_mlx_tls_attr(attr);
+   ssize_t ret = -EIO;
+
+   if (mlx_tls_attr->show)
+   ret = mlx_tls_attr->show(dev, buf);
+
+   return ret;
+}
+
+static ssize_t mlx_tls_attr_store(struct kobject *kobj, struct attribute *attr,
+ const char *buf, size_t count)
+{
+   struct mlx_tls_dev *dev = to_mlx_tls_dev(kobj);
+   struct mlx_tls_attribute *mlx_tls_attr = to_mlx_tls_attr(attr);
+   ssize_t ret = -EIO;
+
+   if (mlx_tls_attr->store)
+   ret = mlx_tls_attr->store(dev, buf, count);
+
+   return ret;
+}
+
+static ssize_t mlx_tls_sqpn_read(struct mlx_tls_dev *dev, char *buf)
+{
+   return sprintf(buf, "%u\n", dev->conn->qp->qp_num);
+}
+
+static ssize_t mlx_tls_sgid_read(struct mlx_tls_dev *dev, char *buf)
+{
+   union ib_gid *sgid = (union ib_gid *)>conn->fpga_qpc.remote_ip;
+
+   return sprintf(buf, "%04x:%04x:%04x:%04x:%04x:%04x:%04x:%04x\n",
+  be16_to_cpu(((__be16 *)sgid->raw)[0]),
+  be16_to_cpu(((__be16 *)sgid->raw)[1]),
+  be16_to_cpu(((__be16 *)sgid->raw)[2]),
+  be16_to_cpu(((__be16 *)sgid->raw)[3]),
+  be16_to_cpu(((__be16 *)sgid->raw)[4]),
+  be16_to_cpu(((__be16 *)sgid->raw)[5]),
+  be16_to_cpu(((__be16 *)sgid->raw)[6]),
+  be16_to_cpu(((__be16 *)sgid->raw)[7]));
+}
+
+static ssize_t mlx_tls_dqpn_read(struct mlx_t

[RFC TLS Offload Support 11/15] mlx/tls: TLS offload driver Add the main module entrypoints and tie the module into the build system

2017-03-28 Thread Aviad Yehezkel 
From: Ilya Lesokhin <il...@mellanox.com>

Signed-off-by: Guy Shapiro <gu...@mellanox.com>
Signed-off-by: Ilya Lesokhin <il...@mellanox.com>
Signed-off-by: Matan Barak <mat...@mellanox.com>
Signed-off-by: Haggai Eran <hagg...@mellanox.com>
Signed-off-by: Aviad Yehezkel <avia...@mellanox.com>
---
 drivers/net/ethernet/mellanox/Kconfig  |  1 +
 drivers/net/ethernet/mellanox/Makefile |  1 +
 .../net/ethernet/mellanox/accelerator/tls/Kconfig  | 11 
 .../net/ethernet/mellanox/accelerator/tls/Makefile |  4 ++
 .../ethernet/mellanox/accelerator/tls/tls_main.c   | 77 ++
 5 files changed, 94 insertions(+)
 create mode 100644 drivers/net/ethernet/mellanox/accelerator/tls/Kconfig
 create mode 100644 drivers/net/ethernet/mellanox/accelerator/tls/Makefile
 create mode 100644 drivers/net/ethernet/mellanox/accelerator/tls/tls_main.c

diff --git a/drivers/net/ethernet/mellanox/Kconfig 
b/drivers/net/ethernet/mellanox/Kconfig
index 1b3ca6a..f270b76 100644
--- a/drivers/net/ethernet/mellanox/Kconfig
+++ b/drivers/net/ethernet/mellanox/Kconfig
@@ -21,6 +21,7 @@ source "drivers/net/ethernet/mellanox/mlx5/core/Kconfig"
 source "drivers/net/ethernet/mellanox/mlxsw/Kconfig"
 source "drivers/net/ethernet/mellanox/accelerator/core/Kconfig"
 source "drivers/net/ethernet/mellanox/accelerator/ipsec/Kconfig"
+source "drivers/net/ethernet/mellanox/accelerator/tls/Kconfig"
 source "drivers/net/ethernet/mellanox/accelerator/tools/Kconfig"
 
 endif # NET_VENDOR_MELLANOX
diff --git a/drivers/net/ethernet/mellanox/Makefile 
b/drivers/net/ethernet/mellanox/Makefile
index 96a5856..fd8afc0 100644
--- a/drivers/net/ethernet/mellanox/Makefile
+++ b/drivers/net/ethernet/mellanox/Makefile
@@ -7,4 +7,5 @@ obj-$(CONFIG_MLX5_CORE) += mlx5/core/
 obj-$(CONFIG_MLXSW_CORE) += mlxsw/
 obj-$(CONFIG_MLX_ACCEL_CORE) += accelerator/core/
 obj-$(CONFIG_MLX_ACCEL_IPSEC) += accelerator/ipsec/
+obj-$(CONFIG_MLX_ACCEL_TLS) += accelerator/tls/
 obj-$(CONFIG_MLX_ACCEL_TOOLS) += accelerator/tools/
diff --git a/drivers/net/ethernet/mellanox/accelerator/tls/Kconfig 
b/drivers/net/ethernet/mellanox/accelerator/tls/Kconfig
new file mode 100644
index 000..d9c0733
--- /dev/null
+++ b/drivers/net/ethernet/mellanox/accelerator/tls/Kconfig
@@ -0,0 +1,11 @@
+#
+# Mellanox tls accelerator driver configuration
+#
+
+config MLX_ACCEL_TLS
+   tristate "Mellanox Technologies TLS accelarator driver"
+   depends on MLX_ACCEL_CORE
+   default n
+   ---help---
+ TLS accelarator driver by Mellanox Technologies.
+
diff --git a/drivers/net/ethernet/mellanox/accelerator/tls/Makefile 
b/drivers/net/ethernet/mellanox/accelerator/tls/Makefile
new file mode 100644
index 000..93a7733
--- /dev/null
+++ b/drivers/net/ethernet/mellanox/accelerator/tls/Makefile
@@ -0,0 +1,4 @@
+obj-$(CONFIG_MLX_ACCEL_TLS)+= mlx_tls.o
+
+ccflags-y := -I$(srctree)/
+mlx_tls-y :=  tls_main.o tls_sysfs.o tls_hw.o tls.o
diff --git a/drivers/net/ethernet/mellanox/accelerator/tls/tls_main.c 
b/drivers/net/ethernet/mellanox/accelerator/tls/tls_main.c
new file mode 100644
index 000..85078f5
--- /dev/null
+++ b/drivers/net/ethernet/mellanox/accelerator/tls/tls_main.c
@@ -0,0 +1,77 @@
+/*
+ * Copyright (c) 2015-2017 Mellanox Technologies. All rights reserved.
+ *
+ * This software is available to you under a choice of one of two
+ * licenses.  You may choose to be licensed under the terms of the GNU
+ * General Public License (GPL) Version 2, available from the file
+ * COPYING in the main directory of this source tree, or the
+ * OpenIB.org BSD license below:
+ *
+ * Redistribution and use in source and binary forms, with or
+ * without modification, are permitted provided that the following
+ * conditions are met:
+ *
+ *  - Redistributions of source code must retain the above
+ *copyright notice, this list of conditions and the following
+ *disclaimer.
+ *
+ *  - Redistributions in binary form must reproduce the above
+ *copyright notice, this list of conditions and the following
+ *disclaimer in the documentation and/or other materials
+ *provided with the distribution.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+ * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+ * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
+ * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
+ * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+ * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ *
+ */
+#include 
+
+#include "tls.h"
+
+MODULE_AUTHOR("Mellanox Technologies Advance Develop Team 
<adv-...@mellanox.com>");
+MODULE_DESCRIPTION("Mellanox Innova TLS

[RFC TLS Offload Support 14/15] crypto: rfc5288 aesni optimized intel routines

2017-03-28 Thread Aviad Yehezkel 
From: Dave Watson 

The assembly routines require the AAD data to be padded out
to the nearest 4 bytes.
Copy the 13 byte tag to a spare assoc data area when necessary

Signed-off-by: Dave Watson 
---
 arch/x86/crypto/aesni-intel_asm.S|   6 ++
 arch/x86/crypto/aesni-intel_avx-x86_64.S |   4 ++
 arch/x86/crypto/aesni-intel_glue.c   | 105 ++-
 3 files changed, 99 insertions(+), 16 deletions(-)

diff --git a/arch/x86/crypto/aesni-intel_asm.S 
b/arch/x86/crypto/aesni-intel_asm.S
index 383a6f8..4e80bb8 100644
--- a/arch/x86/crypto/aesni-intel_asm.S
+++ b/arch/x86/crypto/aesni-intel_asm.S
@@ -229,6 +229,9 @@ XMM2 XMM3 XMM4 XMMDst TMP6 TMP7 i i_seq operation
 MOVADQ SHUF_MASK(%rip), %xmm14
movarg7, %r10   # %r10 = AAD
movarg8, %r12   # %r12 = aadLen
+   add$3, %r12
+   and$~3, %r12
+
mov%r12, %r11
pxor   %xmm\i, %xmm\i
 
@@ -454,6 +457,9 @@ XMM2 XMM3 XMM4 XMMDst TMP6 TMP7 i i_seq operation
 MOVADQ SHUF_MASK(%rip), %xmm14
movarg7, %r10   # %r10 = AAD
movarg8, %r12   # %r12 = aadLen
+   add$3, %r12
+   and$~3, %r12
+
mov%r12, %r11
pxor   %xmm\i, %xmm\i
 _get_AAD_loop\num_initial_blocks\operation:
diff --git a/arch/x86/crypto/aesni-intel_avx-x86_64.S 
b/arch/x86/crypto/aesni-intel_avx-x86_64.S
index 522ab68..0756e4a 100644
--- a/arch/x86/crypto/aesni-intel_avx-x86_64.S
+++ b/arch/x86/crypto/aesni-intel_avx-x86_64.S
@@ -360,6 +360,8 @@ VARIABLE_OFFSET = 16*8
 
 mov arg6, %r10  # r10 = AAD
 mov arg7, %r12  # r12 = aadLen
+add $3, %r12
+and $~3, %r12
 
 
 mov %r12, %r11
@@ -1619,6 +1621,8 @@ ENDPROC(aesni_gcm_dec_avx_gen2)
 
 mov arg6, %r10   # r10 = AAD
 mov arg7, %r12   # r12 = aadLen
+add $3, %r12
+and $~3, %r12
 
 
 mov %r12, %r11
diff --git a/arch/x86/crypto/aesni-intel_glue.c 
b/arch/x86/crypto/aesni-intel_glue.c
index 4ff90a7..dcada94 100644
--- a/arch/x86/crypto/aesni-intel_glue.c
+++ b/arch/x86/crypto/aesni-intel_glue.c
@@ -957,6 +957,8 @@ static int helper_rfc4106_encrypt(struct aead_request *req)
 {
u8 one_entry_in_sg = 0;
u8 *src, *dst, *assoc;
+   u8 *assocmem = NULL;
+
__be32 counter = cpu_to_be32(1);
struct crypto_aead *tfm = crypto_aead_reqtfm(req);
struct aesni_rfc4106_gcm_ctx *ctx = aesni_rfc4106_gcm_ctx_get(tfm);
@@ -966,12 +968,8 @@ static int helper_rfc4106_encrypt(struct aead_request *req)
struct scatter_walk src_sg_walk;
struct scatter_walk dst_sg_walk = {};
unsigned int i;
-
-   /* Assuming we are supporting rfc4106 64-bit extended */
-   /* sequence numbers We need to have the AAD length equal */
-   /* to 16 or 20 bytes */
-   if (unlikely(req->assoclen != 16 && req->assoclen != 20))
-   return -EINVAL;
+   unsigned int padded_assoclen = (req->assoclen + 3) & ~3;
+   u8 assocbuf[24];
 
/* IV below built */
for (i = 0; i < 4; i++)
@@ -996,7 +994,8 @@ static int helper_rfc4106_encrypt(struct aead_request *req)
} else {
/* Allocate memory for src, dst, assoc */
assoc = kmalloc(req->cryptlen + auth_tag_len + req->assoclen,
-   GFP_ATOMIC);
+   GFP_ATOMIC);
+   assocmem = assoc;
if (unlikely(!assoc))
return -ENOMEM;
scatterwalk_map_and_copy(assoc, req->src, 0,
@@ -1005,6 +1004,14 @@ static int helper_rfc4106_encrypt(struct aead_request 
*req)
dst = src;
}
 
+   if (req->assoclen != padded_assoclen) {
+   scatterwalk_map_and_copy(assocbuf, req->src, 0,
+req->assoclen, 0);
+   memset(assocbuf + req->assoclen, 0,
+  padded_assoclen - req->assoclen);
+   assoc = assocbuf;
+   }
+
kernel_fpu_begin();
aesni_gcm_enc_tfm(aes_ctx, dst, src, req->cryptlen, iv,
  ctx->hash_subkey, assoc, req->assoclen - 8,
@@ -1025,7 +1032,7 @@ static int helper_rfc4106_encrypt(struct aead_request 
*req)
} else {
scatterwalk_map_and_copy(dst, req->dst, req->assoclen,
 req->cryptlen + auth_tag_len, 1);
-   kfree(assoc);
+   kfree(assocmem);
}
return 0;
 }
@@ -1034,6 +1041,7 @@ static int helper_rfc4106_decrypt(struct aead_request 
*req)
 {
u8 one_entry_in_sg = 0;
u8 *src, *dst, *assoc;
+   u8 *assocmem = NULL;
unsigned long tempCipherLen = 0;
__be32 counter =

[RFC TLS Offload Support 03/15] tcp: export tcp_rate_check_app_limited function

2017-03-28 Thread Aviad Yehezkel 
We will use it via tls new code.

Signed-off-by: Aviad Yehezkel <avia...@mellanox.com>
Signed-off-by: Ilya Lesokhin <il...@mellanox.com>
Signed-off-by: Boris Pismenny <bor...@mellanox.com>
---
 net/ipv4/tcp_rate.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/ipv4/tcp_rate.c b/net/ipv4/tcp_rate.c
index 9be1581..a226f76 100644
--- a/net/ipv4/tcp_rate.c
+++ b/net/ipv4/tcp_rate.c
@@ -184,3 +184,4 @@ void tcp_rate_check_app_limited(struct sock *sk)
tp->app_limited =
(tp->delivered + tcp_packets_in_flight(tp)) ? : 1;
 }
+EXPORT_SYMBOL(tcp_rate_check_app_limited);
-- 
2.7.4

[RFC TLS Offload Support 04/15] net: Add TLS offload netdevice and socket support

2017-03-28 Thread Aviad Yehezkel 
From: Ilya Lesokhin <il...@mellanox.com>

This patch add a new NDO to add and delete TLS contexts on netdevices.

Signed-off-by: Boris Pismenny <bor...@mellanox.com>
Signed-off-by: Ilya Lesokhin <il...@mellanox.com>
Signed-off-by: Aviad Yehezkel <avia...@mellanox.com>
---
 include/linux/netdevice.h | 23 +++
 1 file changed, 23 insertions(+)

diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h
index 51f9336..ce4760c 100644
--- a/include/linux/netdevice.h
+++ b/include/linux/netdevice.h
@@ -844,6 +844,25 @@ struct xfrmdev_ops {
 };
 #endif
 
+#if IS_ENABLED(CONFIG_TLS)
+enum tls_offload_ctx_dir {
+   TLS_OFFLOAD_CTX_DIR_RX,
+   TLS_OFFLOAD_CTX_DIR_TX,
+};
+
+struct tls_crypto_info;
+struct tls_offload_context;
+
+struct tlsdev_ops {
+   int (*tls_dev_add)(struct net_device *netdev, struct sock *sk,
+   enum tls_offload_ctx_dir direction,
+   struct tls_crypto_info *crypto_info,
+   struct tls_offload_context **ctx);
+   void (*tls_dev_del)(struct net_device *netdev, struct sock *sk,
+   enum tls_offload_ctx_dir direction);
+};
+#endif
+
 /*
  * This structure defines the management hooks for network devices.
  * The following hooks can be defined; unless noted otherwise, they are
@@ -1722,6 +1741,10 @@ struct net_device {
const struct xfrmdev_ops *xfrmdev_ops;
 #endif
 
+#if IS_ENABLED(CONFIG_TLS)
+   const struct tlsdev_ops *tlsdev_ops;
+#endif
+
const struct header_ops *header_ops;
 
unsigned intflags;
-- 
2.7.4

[RFC TLS Offload Support 15/15] net/tls: Add software offload

2017-03-28 Thread Aviad Yehezkel 
From: Ilya Lesokhin <il...@mellanox.com>

Signed-off-by: Dave Watson <davejwat...@fb.com>
Signed-off-by: Ilya Lesokhin <il...@mellanox.com>
Signed-off-by: Aviad Yehezkel <avia...@mellanox.com>
---
 MAINTAINERS|   1 +
 include/net/tls.h  |  44 
 net/tls/Makefile   |   2 +-
 net/tls/tls_main.c |  34 +--
 net/tls/tls_sw.c   | 729 +
 5 files changed, 794 insertions(+), 16 deletions(-)
 create mode 100644 net/tls/tls_sw.c

diff --git a/MAINTAINERS b/MAINTAINERS
index e3b70c3..413c1d9 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -8491,6 +8491,7 @@ M:Ilya Lesokhin <il...@mellanox.com>
 M: Aviad Yehezkel <avia...@mellanox.com>
 M: Boris Pismenny <bor...@mellanox.com>
 M: Haggai Eran <hagg...@mellanox.com>
+M: Dave Watson <davejwat...@fb.com>
 L: netdev@vger.kernel.org
 T: git git://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git
 T: git git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git
diff --git a/include/net/tls.h b/include/net/tls.h
index f7f0cde..bb1f41e 100644
--- a/include/net/tls.h
+++ b/include/net/tls.h
@@ -48,6 +48,7 @@
 
 #define TLS_CRYPTO_INFO_READY(info)((info)->cipher_type)
 #define TLS_IS_STATE_HW(info)  ((info)->state == TLS_STATE_HW)
+#define TLS_IS_STATE_SW(info)  ((info)->state == TLS_STATE_SW)
 
 #define TLS_RECORD_TYPE_DATA   0x17
 
@@ -68,6 +69,37 @@ struct tls_offload_context {
spinlock_t lock;/* protects records list */
 };
 
+#define TLS_DATA_PAGES (TLS_MAX_PAYLOAD_SIZE / PAGE_SIZE)
+/* +1 for aad, +1 for tag, +1 for chaining */
+#define TLS_SG_DATA_SIZE   (TLS_DATA_PAGES + 3)
+#define ALG_MAX_PAGES 16 /* for skb_to_sgvec */
+#define TLS_AAD_SPACE_SIZE 21
+#define TLS_AAD_SIZE   13
+#define TLS_TAG_SIZE   16
+
+#define TLS_NONCE_SIZE 8
+#define TLS_PREPEND_SIZE   (TLS_HEADER_SIZE + TLS_NONCE_SIZE)
+#define TLS_OVERHEAD   (TLS_PREPEND_SIZE + TLS_TAG_SIZE)
+
+struct tls_sw_context {
+   struct sock *sk;
+   void (*sk_write_space)(struct sock *sk);
+   struct crypto_aead *aead_send;
+
+   /* Sending context */
+   struct scatterlist sg_tx_data[TLS_SG_DATA_SIZE];
+   struct scatterlist sg_tx_data2[ALG_MAX_PAGES + 1];
+   char aad_send[TLS_AAD_SPACE_SIZE];
+   char tag_send[TLS_TAG_SIZE];
+   skb_frag_t tx_frag;
+   int wmem_len;
+   int order_npages;
+   struct scatterlist sgaad_send[2];
+   struct scatterlist sgtag_send[2];
+   struct sk_buff_head tx_queue;
+   int unsent;
+};
+
 struct tls_context {
union {
struct tls_crypto_info crypto_send;
@@ -102,6 +134,12 @@ int tls_device_sendmsg(struct sock *sk, struct msghdr 
*msg, size_t size);
 int tls_device_sendpage(struct sock *sk, struct page *page,
int offset, size_t size, int flags);
 
+int tls_set_sw_offload(struct sock *sk, struct tls_context *ctx);
+void tls_clear_sw_offload(struct sock *sk);
+int tls_sw_sendmsg(struct sock *sk, struct msghdr *msg, size_t size);
+int tls_sw_sendpage(struct sock *sk, struct page *page,
+   int offset, size_t size, int flags);
+
 struct tls_record_info *tls_get_record(struct tls_offload_context *context,
   u32 seq);
 
@@ -174,6 +212,12 @@ static inline struct tls_context *tls_get_ctx(const struct 
sock *sk)
return sk->sk_user_data;
 }
 
+static inline struct tls_sw_context *tls_sw_ctx(
+   const struct tls_context *tls_ctx)
+{
+   return (struct tls_sw_context *)tls_ctx->priv_ctx;
+}
+
 static inline struct tls_offload_context *tls_offload_ctx(
const struct tls_context *tls_ctx)
 {
diff --git a/net/tls/Makefile b/net/tls/Makefile
index 65e5677..61457e0 100644
--- a/net/tls/Makefile
+++ b/net/tls/Makefile
@@ -4,4 +4,4 @@
 
 obj-$(CONFIG_TLS) += tls.o
 
-tls-y := tls_main.o tls_device.o
+tls-y := tls_main.o tls_device.o tls_sw.o
diff --git a/net/tls/tls_main.c b/net/tls/tls_main.c
index 6a3df25..a4efd02 100644
--- a/net/tls/tls_main.c
+++ b/net/tls/tls_main.c
@@ -46,6 +46,7 @@ MODULE_DESCRIPTION("Transport Layer Security Support");
 MODULE_LICENSE("Dual BSD/GPL");
 
 static struct proto tls_device_prot;
+static struct proto tls_sw_prot;
 
 int tls_push_frags(struct sock *sk,
   struct tls_context *ctx,
@@ -188,13 +189,10 @@ int tls_sk_query(struct sock *sk, int optname, char 
__user *optval,
rc = -EINVAL;
goto out;
}
-   if (TLS_IS_STATE_HW(crypto_info)) {
-   lock_sock(sk);
-   memcpy(crypto_info_aes_gcm_128->iv,
-  ctx->iv,
-  TLS_CIPHER_AES_GCM_128_IV_

[RFC TLS Offload Support 02/15] tcp: export do_tcp_sendpages function

2017-03-28 Thread Aviad Yehezkel 
We will use it via tls new code.

Signed-off-by: Aviad Yehezkel <avia...@mellanox.com>
Signed-off-by: Ilya Lesokhin <il...@mellanox.com>
Signed-off-by: Boris Pismenny <bor...@mellanox.com>
---
 include/net/tcp.h | 2 ++
 net/ipv4/tcp.c| 5 +++--
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/include/net/tcp.h b/include/net/tcp.h
index 207147b..3a72d4c 100644
--- a/include/net/tcp.h
+++ b/include/net/tcp.h
@@ -348,6 +348,8 @@ int tcp_v4_tw_remember_stamp(struct inet_timewait_sock *tw);
 int tcp_sendmsg(struct sock *sk, struct msghdr *msg, size_t size);
 int tcp_sendpage(struct sock *sk, struct page *page, int offset, size_t size,
 int flags);
+ssize_t do_tcp_sendpages(struct sock *sk, struct page *page, int offset,
+size_t size, int flags);
 void tcp_release_cb(struct sock *sk);
 void tcp_wfree(struct sk_buff *skb);
 void tcp_write_timer_handler(struct sock *sk);
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index 1149b48..302fee9 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -873,8 +873,8 @@ static int tcp_send_mss(struct sock *sk, int *size_goal, 
int flags)
return mss_now;
 }
 
-static ssize_t do_tcp_sendpages(struct sock *sk, struct page *page, int offset,
-   size_t size, int flags)
+ssize_t do_tcp_sendpages(struct sock *sk, struct page *page, int offset,
+size_t size, int flags)
 {
struct tcp_sock *tp = tcp_sk(sk);
int mss_now, size_goal;
@@ -1003,6 +1003,7 @@ static ssize_t do_tcp_sendpages(struct sock *sk, struct 
page *page, int offset,
}
return sk_stream_error(sk, flags, err);
 }
+EXPORT_SYMBOL(do_tcp_sendpages);
 
 int tcp_sendpage(struct sock *sk, struct page *page, int offset,
 size_t size, int flags)
-- 
2.7.4

[RFC TLS Offload Support 12/15] mlx/tls: Enable MLX5_CORE_QP_SIM mode for tls

2017-03-28 Thread Aviad Yehezkel 
Signed-off-by: Aviad Yehezkel <avia...@mellanox.com>
Signed-off-by: Ilya Lesokhin <il...@mellanox.com>
---
 drivers/net/ethernet/mellanox/accelerator/tls/tls.c   | 6 ++
 drivers/net/ethernet/mellanox/accelerator/tls/tls_sysfs.c | 2 ++
 drivers/net/ethernet/mellanox/accelerator/tls/tls_sysfs.h | 2 ++
 3 files changed, 10 insertions(+)

diff --git a/drivers/net/ethernet/mellanox/accelerator/tls/tls.c 
b/drivers/net/ethernet/mellanox/accelerator/tls/tls.c
index 07a4b67..3560f784 100644
--- a/drivers/net/ethernet/mellanox/accelerator/tls/tls.c
+++ b/drivers/net/ethernet/mellanox/accelerator/tls/tls.c
@@ -494,9 +494,11 @@ static struct sk_buff *mlx_tls_rx_handler(struct sk_buff 
*skb, u8 *rawpet,
 static void mlx_tls_free(struct mlx_tls_dev *dev)
 {
list_del(>accel_dev_list);
+#if IS_ENABLED(CONFIG_MLX5_CORE_FPGA_QP_SIM)
 #ifdef MLX_TLS_SADB_RDMA
kobject_put(>kobj);
 #endif
+#endif
dev_put(dev->netdev);
kfree(dev);
 }
@@ -592,6 +594,7 @@ int mlx_tls_add_one(struct mlx_accel_core_device 
*accel_device)
goto err_netdev;
}
 
+#if IS_ENABLED(CONFIG_MLX5_CORE_FPGA_QP_SIM)
 #ifdef MLX_TLS_SADB_RDMA
ret = tls_sysfs_init_and_add(>kobj,
 mlx_accel_core_kobj(dev->accel_device),
@@ -603,6 +606,7 @@ int mlx_tls_add_one(struct mlx_accel_core_device 
*accel_device)
goto err_ops_register;
}
 #endif
+#endif
 
mutex_lock(_tls_mutex);
list_add(>accel_dev_list, _tls_devs);
@@ -611,10 +615,12 @@ int mlx_tls_add_one(struct mlx_accel_core_device 
*accel_device)
dev->netdev->tlsdev_ops = _tls_ops;
goto out;
 
+#if IS_ENABLED(CONFIG_MLX5_CORE_FPGA_QP_SIM)
 #ifdef MLX_TLS_SADB_RDMA
 err_ops_register:
mlx_accel_core_client_ops_unregister(accel_device);
 #endif
+#endif
 err_netdev:
dev_put(netdev);
 err_conn:
diff --git a/drivers/net/ethernet/mellanox/accelerator/tls/tls_sysfs.c 
b/drivers/net/ethernet/mellanox/accelerator/tls/tls_sysfs.c
index 2860fc3..76ba784 100644
--- a/drivers/net/ethernet/mellanox/accelerator/tls/tls_sysfs.c
+++ b/drivers/net/ethernet/mellanox/accelerator/tls/tls_sysfs.c
@@ -36,6 +36,7 @@
 #include "tls_sysfs.h"
 #include "tls_cmds.h"
 
+#if IS_ENABLED(CONFIG_MLX5_CORE_FPGA_QP_SIM)
 #ifdef MLX_TLS_SADB_RDMA
 struct mlx_tls_attribute {
struct attribute attr;
@@ -192,3 +193,4 @@ int tls_sysfs_init_and_add(struct kobject *kobj, struct 
kobject *parent,
fmt, arg);
 }
 #endif
+#endif
diff --git a/drivers/net/ethernet/mellanox/accelerator/tls/tls_sysfs.h 
b/drivers/net/ethernet/mellanox/accelerator/tls/tls_sysfs.h
index bfaa857..d7c3185 100644
--- a/drivers/net/ethernet/mellanox/accelerator/tls/tls_sysfs.h
+++ b/drivers/net/ethernet/mellanox/accelerator/tls/tls_sysfs.h
@@ -37,9 +37,11 @@
 
 #include "tls.h"
 
+#if IS_ENABLED(CONFIG_MLX5_CORE_FPGA_QP_SIM)
 #ifdef MLX_TLS_SADB_RDMA
 int tls_sysfs_init_and_add(struct kobject *kobj, struct kobject *parent,
   const char *fmt, char *arg);
 #endif
+#endif
 
 #endif /* __TLS_SYSFS_H__ */
-- 
2.7.4

[RFC TLS Offload Support 06/15] tls: tls offload support

2017-03-28 Thread Aviad Yehezkel 
This patch introduces TX HW offload.

tls_main: contains generic logic that will be shared by both
SW and HW implementations.
tls_device: contains generic HW logic that is shared by all
HW offload implementations.

Signed-off-by: Boris Pismenny <bor...@mellanox.com>
Signed-off-by: Ilya Lesokhin <il...@mellanox.com>
Signed-off-by: Aviad Yehezkel <avia...@mellanox.com>
---
 MAINTAINERS   |  13 +
 include/net/tls.h | 184 ++
 include/uapi/linux/Kbuild |   1 +
 include/uapi/linux/tls.h  |  84 +++
 net/Kconfig   |   1 +
 net/Makefile  |   1 +
 net/tls/Kconfig   |  12 +
 net/tls/Makefile  |   7 +
 net/tls/tls_device.c  | 594 ++
 net/tls/tls_main.c| 348 +++
 10 files changed, 1245 insertions(+)
 create mode 100644 include/net/tls.h
 create mode 100644 include/uapi/linux/tls.h
 create mode 100644 net/tls/Kconfig
 create mode 100644 net/tls/Makefile
 create mode 100644 net/tls/tls_device.c
 create mode 100644 net/tls/tls_main.c

diff --git a/MAINTAINERS b/MAINTAINERS
index b340ef6..e3b70c3 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -8486,6 +8486,19 @@ F:   net/ipv6/
 F: include/net/ip*
 F: arch/x86/net/*
 
+NETWORKING [TLS]
+M: Ilya Lesokhin <il...@mellanox.com>
+M: Aviad Yehezkel <avia...@mellanox.com>
+M: Boris Pismenny <bor...@mellanox.com>
+M: Haggai Eran <hagg...@mellanox.com>
+L: netdev@vger.kernel.org
+T: git git://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git
+T: git git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git
+S: Maintained
+F: net/tls/*
+F: include/uapi/linux/tls.h
+F: include/net/tls.h
+
 NETWORKING [IPSEC]
 M: Steffen Klassert <steffen.klass...@secunet.com>
 M: Herbert Xu <herb...@gondor.apana.org.au>
diff --git a/include/net/tls.h b/include/net/tls.h
new file mode 100644
index 000..f7f0cde
--- /dev/null
+++ b/include/net/tls.h
@@ -0,0 +1,184 @@
+/* Copyright (c) 2016-2017, Mellanox Technologies All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or
+ * without modification, are permitted provided that the following
+ * conditions are met:
+ *
+ *  - Redistributions of source code must retain the above
+ *copyright notice, this list of conditions and the following
+ *disclaimer.
+ *
+ *  - Redistributions in binary form must reproduce the above
+ *copyright notice, this list of conditions and the following
+ *disclaimer in the documentation and/or other materials
+ *provided with the distribution.
+ *
+ *  - Neither the name of the Mellanox Technologies nor the
+ *names of its contributors may be used to endorse or promote
+ *products derived from this software without specific prior written
+ *permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
+ * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR
+ * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
+ * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE
+ */
+
+#ifndef _TLS_OFFLOAD_H
+#define _TLS_OFFLOAD_H
+
+#include 
+
+#include 
+
+
+/* Maximum data size carried in a TLS record */
+#define TLS_MAX_PAYLOAD_SIZE   ((size_t)1 << 14)
+
+#define TLS_HEADER_SIZE5
+#define TLS_NONCE_OFFSET   TLS_HEADER_SIZE
+
+#define TLS_CRYPTO_INFO_READY(info)((info)->cipher_type)
+#define TLS_IS_STATE_HW(info)  ((info)->state == TLS_STATE_HW)
+
+#define TLS_RECORD_TYPE_DATA   0x17
+
+
+struct tls_record_info {
+   struct list_head list;
+   u32 end_seq;
+   int len;
+   int num_frags;
+   skb_frag_t frags[MAX_SKB_FRAGS];
+};
+
+struct tls_offload_context {
+   struct list_head records_list;
+   struct tls_record_info *open_record;
+   struct tls_record_info *retransmit_hint;
+   u32 expectedSN;
+   spinlock_t lock;/* protects records list */
+};
+
+struct tls_context {
+   union {
+   struct tls_crypto_info crypto_send;
+   struct tls_crypto_info_aes_gcm_128 crypto_send_aes_gcm_128;
+   };
+
+   void *priv_ctx;
+
+   u16 prepand_size;
+   u16 tag_size;
+   u16 iv_s

[RFC TLS Offload Support 10/15] mlx/tls: Add mlx_accel offload driver for TLS

2017-03-28 Thread Aviad Yehezkel 
From: Ilya Lesokhin <il...@mellanox.com>

Implement the transmit and receive callbacks as well as the netdev
operations for adding and removing sockets.

Signed-off-by: Guy Shapiro <gu...@mellanox.com>
Signed-off-by: Ilya Lesokhin <il...@mellanox.com>
Signed-off-by: Matan Barak <mat...@mellanox.com>
Signed-off-by: Haggai Eran <hagg...@mellanox.com>
Signed-off-by: Aviad Yehezkel <avia...@mellanox.com>
---
 .../net/ethernet/mellanox/accelerator/tls/tls.c| 652 +
 .../net/ethernet/mellanox/accelerator/tls/tls.h| 100 
 2 files changed, 752 insertions(+)
 create mode 100644 drivers/net/ethernet/mellanox/accelerator/tls/tls.c
 create mode 100644 drivers/net/ethernet/mellanox/accelerator/tls/tls.h

diff --git a/drivers/net/ethernet/mellanox/accelerator/tls/tls.c 
b/drivers/net/ethernet/mellanox/accelerator/tls/tls.c
new file mode 100644
index 000..07a4b67
--- /dev/null
+++ b/drivers/net/ethernet/mellanox/accelerator/tls/tls.c
@@ -0,0 +1,652 @@
+/*
+ * Copyright (c) 2015-2017 Mellanox Technologies. All rights reserved.
+ *
+ * This software is available to you under a choice of one of two
+ * licenses.  You may choose to be licensed under the terms of the GNU
+ * General Public License (GPL) Version 2, available from the file
+ * COPYING in the main directory of this source tree, or the
+ * OpenIB.org BSD license below:
+ *
+ * Redistribution and use in source and binary forms, with or
+ * without modification, are permitted provided that the following
+ * conditions are met:
+ *
+ *  - Redistributions of source code must retain the above
+ *copyright notice, this list of conditions and the following
+ *disclaimer.
+ *
+ *  - Redistributions in binary form must reproduce the above
+ *copyright notice, this list of conditions and the following
+ *disclaimer in the documentation and/or other materials
+ *provided with the distribution.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+ * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+ * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
+ * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
+ * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+ * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ *
+ */
+#include "tls.h"
+#include "tls_sysfs.h"
+#include "tls_hw.h"
+#include "tls_cmds.h"
+#include 
+#include 
+
+static LIST_HEAD(mlx_tls_devs);
+static DEFINE_MUTEX(mlx_tls_mutex);
+
+/* Start of context identifiers range (inclusive) */
+#define SWID_START 5
+/* End of context identifiers range (exclusive) */
+#define SWID_END   BIT(24)
+
+static netdev_features_t mlx_tls_feature_chk(struct sk_buff *skb,
+struct net_device *netdev,
+netdev_features_t features,
+bool *done)
+{
+   return features;
+}
+
+int mlx_tls_get_count(struct net_device *netdev)
+{
+   return 0;
+}
+
+int mlx_tls_get_strings(struct net_device *netdev, uint8_t *data)
+{
+   return 0;
+}
+
+int mlx_tls_get_stats(struct net_device *netdev, u64 *data)
+{
+   return 0;
+}
+
+/* must hold mlx_tls_mutex to call this function */
+static struct mlx_tls_dev *find_mlx_tls_dev_by_netdev(
+   struct net_device *netdev)
+{
+   struct mlx_tls_dev *dev;
+
+   list_for_each_entry(dev, _tls_devs, accel_dev_list) {
+   if (dev->netdev == netdev)
+   return dev;
+   }
+
+   return NULL;
+}
+
+struct mlx_tls_offload_context *get_tls_context(struct sock *sk)
+{
+   struct tls_context *tls_ctx = tls_get_ctx(sk);
+
+   return container_of(tls_offload_ctx(tls_ctx),
+   struct mlx_tls_offload_context,
+   context);
+}
+
+static int mlx_tls_add(struct net_device *netdev,
+  struct sock *sk,
+  enum tls_offload_ctx_dir direction,
+  struct tls_crypto_info *crypto_info,
+  struct tls_offload_context **ctx)
+{
+   struct tls_crypto_info_aes_gcm_128 *crypto_info_aes_gcm_128;
+   struct mlx_tls_offload_context *context;
+   struct mlx_tls_dev *dev;
+   int swid;
+   int ret;
+
+   pr_info("mlx_tls_add called\n");
+
+   if (direction == TLS_OFFLOAD_CTX_DIR_RX) {
+   pr_err("mlx_tls_add(): do not support recv\n");
+   ret = -EINVAL;
+   goto out;
+   }
+
+   if (!crypto_info ||
+   crypto_info->cipher_type != TLS_CIPHER_AES_GCM_128) {
+   pr_err("mlx_tls_add(): support only aes_gcm_128\n");
+

[RFC TLS Offload Support 08/15] mlx/tls: Hardware interface

2017-03-28 Thread Aviad Yehezkel 
From: Ilya Lesokhin <il...@mellanox.com>

Implement the hardware interface to set up TLS offload.

Signed-off-by: Guy Shapiro <gu...@mellanox.com>
Signed-off-by: Ilya Lesokhin <il...@mellanox.com>
Signed-off-by: Matan Barak <mat...@mellanox.com>
Signed-off-by: Haggai Eran <hagg...@mellanox.com>
Signed-off-by: Aviad Yehezkel <avia...@mellanox.com>
---
 .../ethernet/mellanox/accelerator/tls/tls_cmds.h   | 112 ++
 .../net/ethernet/mellanox/accelerator/tls/tls_hw.c | 429 +
 .../net/ethernet/mellanox/accelerator/tls/tls_hw.h |  49 +++
 3 files changed, 590 insertions(+)
 create mode 100644 drivers/net/ethernet/mellanox/accelerator/tls/tls_cmds.h
 create mode 100644 drivers/net/ethernet/mellanox/accelerator/tls/tls_hw.c
 create mode 100644 drivers/net/ethernet/mellanox/accelerator/tls/tls_hw.h

diff --git a/drivers/net/ethernet/mellanox/accelerator/tls/tls_cmds.h 
b/drivers/net/ethernet/mellanox/accelerator/tls/tls_cmds.h
new file mode 100644
index 000..8916f00
--- /dev/null
+++ b/drivers/net/ethernet/mellanox/accelerator/tls/tls_cmds.h
@@ -0,0 +1,112 @@
+/*
+ * Copyright (c) 2015-2017 Mellanox Technologies. All rights reserved.
+ *
+ * This software is available to you under a choice of one of two
+ * licenses.  You may choose to be licensed under the terms of the GNU
+ * General Public License (GPL) Version 2, available from the file
+ * COPYING in the main directory of this source tree, or the
+ * OpenIB.org BSD license below:
+ *
+ * Redistribution and use in source and binary forms, with or
+ * without modification, are permitted provided that the following
+ * conditions are met:
+ *
+ *  - Redistributions of source code must retain the above
+ *copyright notice, this list of conditions and the following
+ *disclaimer.
+ *
+ *  - Redistributions in binary form must reproduce the above
+ *copyright notice, this list of conditions and the following
+ *disclaimer in the documentation and/or other materials
+ *provided with the distribution.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+ * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+ * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
+ * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
+ * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+ * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ *
+ */
+
+#ifndef MLX_TLS_CMDS_H
+#define MLX_TLS_CMDS_H
+
+#define MLX_TLS_SADB_RDMA
+
+enum fpga_cmds {
+   CMD_SETUP_STREAM= 1,
+   CMD_TEARDOWN_STREAM = 2,
+};
+
+enum fpga_response {
+   EVENT_SETUP_STREAM_RESPONSE = 0x81,
+};
+
+#define TLS_TCP_IP_PROTO   BIT(3)  /* 0 - UDP; 1 - TCP */
+#define TLS_TCP_INIT   BIT(2)  /* 1 - Initialized */
+#define TLS_TCP_VALID  BIT(1)  /* 1 - Valid */
+#define TLS_TCP_IPV6   BIT(0)  /* 0 - IPv4;1 - IPv6 */
+
+struct tls_cntx_tcp {
+   __be32 ip_da[4];
+   __be32 flags;
+   __be16 src_port;
+   __be16 dst_port;
+   u32 pad;
+   __be32 tcp_sn;
+   __be32 ip_sa[4];
+} __packed;
+
+struct tls_cntx_crypto {
+   u8 enc_state[16];
+   u8 enc_key[32];
+} __packed;
+
+struct tls_cntx_record {
+   u8 rcd_sn[8];
+   u16 pad;
+   u8 flags;
+   u8 rcd_type_ver;
+   __be32 rcd_tcp_sn_nxt;
+   __be32 rcd_implicit_iv;
+   u8 rcd_residue[32];
+} __packed;
+
+#define TLS_RCD_ENC_AES_GCM128 (0)
+#define TLS_RCD_ENC_AES_GCM256 (BIT(4))
+#define TLS_RCD_AUTH_AES_GCM128(0)
+#define TLS_RCD_AUTH_AES_GCM256(1)
+
+#define TLS_RCD_VER_1_2(3)
+
+struct tls_cntx {
+   struct tls_cntx_tcp tcp;
+   struct tls_cntx_record  rcd;
+   struct tls_cntx_crypto  crypto;
+} __packed;
+
+struct setup_stream_cmd {
+   u8 cmd;
+   __be32 stream_id;
+   struct tls_cntx tls;
+} __packed;
+
+struct teardown_stream_cmd {
+   u8 cmd;
+   __be32 stream_id;
+} __packed;
+
+struct generic_event {
+   __be32 opcode;
+   __be32 stream_id;
+};
+
+struct setup_stream_response {
+   __be32 opcode;
+   __be32 stream_id;
+};
+
+#endif /* MLX_TLS_CMDS_H */
diff --git a/drivers/net/ethernet/mellanox/accelerator/tls/tls_hw.c 
b/drivers/net/ethernet/mellanox/accelerator/tls/tls_hw.c
new file mode 100644
index 000..3a02f1e
--- /dev/null
+++ b/drivers/net/ethernet/mellanox/accelerator/tls/tls_hw.c
@@ -0,0 +1,429 @@
+/*
+ * Copyright (c) 2015-2017 Mellanox Technologies. All rights reserved.
+ *
+ * This software is available to you under a choice of one of two
+ * licenses.  You may choose to be licensed under the terms of the GNU
+ * General Public License (GPL) Version 2, available from the file
+ * COPYING in the main directory of this source

[RFC TLS Offload Support 13/15] crypto: Add gcm template for rfc5288

2017-03-28 Thread Aviad Yehezkel 
From: Dave Watson 

AAD data length is 13 bytes, tag is 16.

Signed-off-by: Dave Watson 
---
 crypto/gcm.c | 122 +++
 crypto/tcrypt.c  |  14 ---
 crypto/testmgr.c |  16 
 crypto/testmgr.h |  47 +
 4 files changed, 194 insertions(+), 5 deletions(-)

diff --git a/crypto/gcm.c b/crypto/gcm.c
index f624ac9..07c2805 100644
--- a/crypto/gcm.c
+++ b/crypto/gcm.c
@@ -1016,6 +1016,120 @@ static struct crypto_template crypto_rfc4106_tmpl = {
.module = THIS_MODULE,
 };
 
+static int crypto_rfc5288_encrypt(struct aead_request *req)
+{
+   if (req->assoclen != 21)
+   return -EINVAL;
+
+   req = crypto_rfc4106_crypt(req);
+
+   return crypto_aead_encrypt(req);
+}
+
+static int crypto_rfc5288_decrypt(struct aead_request *req)
+{
+   if (req->assoclen != 21)
+   return -EINVAL;
+
+   req = crypto_rfc4106_crypt(req);
+
+   return crypto_aead_decrypt(req);
+}
+
+static int crypto_rfc5288_create(struct crypto_template *tmpl,
+struct rtattr **tb)
+{
+   struct crypto_attr_type *algt;
+   struct aead_instance *inst;
+   struct crypto_aead_spawn *spawn;
+   struct aead_alg *alg;
+   const char *ccm_name;
+   int err;
+
+   algt = crypto_get_attr_type(tb);
+   if (IS_ERR(algt))
+   return PTR_ERR(algt);
+
+   if ((algt->type ^ CRYPTO_ALG_TYPE_AEAD) & algt->mask)
+   return -EINVAL;
+
+   ccm_name = crypto_attr_alg_name(tb[1]);
+   if (IS_ERR(ccm_name))
+   return PTR_ERR(ccm_name);
+
+   inst = kzalloc(sizeof(*inst) + sizeof(*spawn), GFP_KERNEL);
+   if (!inst)
+   return -ENOMEM;
+
+   spawn = aead_instance_ctx(inst);
+   crypto_set_aead_spawn(spawn, aead_crypto_instance(inst));
+   err = crypto_grab_aead(spawn, ccm_name, 0,
+  crypto_requires_sync(algt->type, algt->mask));
+   if (err)
+   goto out_free_inst;
+
+   alg = crypto_spawn_aead_alg(spawn);
+
+   err = -EINVAL;
+
+   /* Underlying IV size must be 12. */
+   if (crypto_aead_alg_ivsize(alg) != 12)
+   goto out_drop_alg;
+
+   /* Not a stream cipher? */
+   if (alg->base.cra_blocksize != 1)
+   goto out_drop_alg;
+
+   err = -ENAMETOOLONG;
+   if (snprintf(inst->alg.base.cra_name, CRYPTO_MAX_ALG_NAME,
+"rfc5288(%s)", alg->base.cra_name) >=
+   CRYPTO_MAX_ALG_NAME ||
+   snprintf(inst->alg.base.cra_driver_name, CRYPTO_MAX_ALG_NAME,
+"rfc5288(%s)", alg->base.cra_driver_name) >=
+   CRYPTO_MAX_ALG_NAME)
+   goto out_drop_alg;
+
+   inst->alg.base.cra_flags = alg->base.cra_flags & CRYPTO_ALG_ASYNC;
+   inst->alg.base.cra_priority = alg->base.cra_priority;
+   inst->alg.base.cra_blocksize = 1;
+   inst->alg.base.cra_alignmask = alg->base.cra_alignmask;
+
+   inst->alg.base.cra_ctxsize = sizeof(struct crypto_rfc4106_ctx);
+
+   inst->alg.ivsize = 8;
+   inst->alg.chunksize = crypto_aead_alg_chunksize(alg);
+   inst->alg.maxauthsize = crypto_aead_alg_maxauthsize(alg);
+
+   inst->alg.init = crypto_rfc4106_init_tfm;
+   inst->alg.exit = crypto_rfc4106_exit_tfm;
+
+   inst->alg.setkey = crypto_rfc4106_setkey;
+   inst->alg.setauthsize = crypto_rfc4106_setauthsize;
+   inst->alg.encrypt = crypto_rfc5288_encrypt;
+   inst->alg.decrypt = crypto_rfc5288_decrypt;
+
+   inst->free = crypto_rfc4106_free;
+
+   err = aead_register_instance(tmpl, inst);
+   if (err)
+   goto out_drop_alg;
+
+out:
+   return err;
+
+out_drop_alg:
+   crypto_drop_aead(spawn);
+out_free_inst:
+   kfree(inst);
+   goto out;
+}
+
+static struct crypto_template crypto_rfc5288_tmpl = {
+   .name = "rfc5288",
+   .create = crypto_rfc5288_create,
+   .module = THIS_MODULE,
+};
+
 static int crypto_rfc4543_setkey(struct crypto_aead *parent, const u8 *key,
 unsigned int keylen)
 {
@@ -1284,8 +1398,14 @@ static int __init crypto_gcm_module_init(void)
if (err)
goto out_undo_rfc4106;
 
+   err = crypto_register_template(_rfc5288_tmpl);
+   if (err)
+   goto out_undo_rfc4543;
+
return 0;
 
+out_undo_rfc4543:
+   crypto_unregister_template(_rfc4543_tmpl);
 out_undo_rfc4106:
crypto_unregister_template(_rfc4106_tmpl);
 out_undo_gcm:
@@ -1302,6 +1422,7 @@ static void __exit crypto_gcm_module_exit(void)
kfree(gcm_zeroes);
crypto_unregister_template(_rfc4543_tmpl);
crypto_unregister_template(_rfc4106_tmpl);
+   crypto_unregister_template(_rfc5288_tmpl);
crypto_unregister_template(_gcm_tmpl);
crypto_unregister_template(_gcm_base_tmpl);
 }
@@ -1315,4 +1436,5 @@ MODULE_AUTHOR("Mikko

[RFC TLS Offload Support 00/15] cover letter

2017-03-28 Thread Aviad Yehezkel 
Overview

A kernel TLS Tx only socket option for TCP sockets.
Similarly to the kernel TLS socket(https://lwn.net/Articles/665602),
only symmetric crypto is done in the kernel, as well as TLS record framing.
The handshake remains in userspace, and the negotiated cipher keys/iv are 
provided to the TCP socket.

Today, userspace TLS must perform 2 passes over the data. First, it has to 
encrypt the data. Second, the data is copied to the TCP socket in the kernel.
Kernel TLS avoids one pass over the data by encrypting the data from userspace 
pages into kernelspace buffers.

Non application-data TLS records must be encrypted using the latest crypto 
state available in the kernel. It is possible to get the crypto context from 
the kernel and encrypt such recrods in user-space. But we choose to encrypt 
such TLS records in the kernel by setting the MSG_OOB flag and providing the 
record type with the data.

TLS Tx crypto offload is a new feature of network devices. It enables the 
kernel TLS socket to skip encryption and authentication operations on the 
transmit side of the data path, delegating those to the NIC. In turn, the NIC 
encrypts packets that belong to an offloaded TLS socket on the fly. The NIC 
does not modify any packet headers. It expects to receive fully framed TCP 
packets with TLS records as payload. The NIC replaces plaintext with ciphertext 
and fills the authentication tag. The NIC does not hold any state beyond the 
context needed to encrypt the next expected packet, i.e. expected TCP sequence 
number and crypto state.

There are 2 flows for TLS Tx offload, a fast path and a slow path.
Fast path: packet matches the expected TCP sequence number in the context.
Slow path: packet does not match the expected TCP sequence number in the 
context. For example: TCP retransmissions. For a packet in the slow path, we 
need to resynchronize the crypto context of the NIC by providing the TLS record 
data for that packet before it could be encrypted and transmitted by the NIC.

Motivation
==
1) Performance: The CPU overhead of encryption in the data path is high, at 
least 4x for netperf over TLS between 2 machines connected back-to-back.
Our single stream performance tests show that using crypto offload for TLS 
sockets achieves the same throughput as plain TCP traffic while increasing CPU 
utilization by only
 x1.4.

2) Flexibility: The protocol stack is implemented entirely on the host CPU.
Compared to solutions based on TCP offload, this approach offloads only 
encryption. Keeping memory management, congestion control, etc. in the host CPU.

Notes
=
1) New paths:
o net/tls - TLS layer in kernel
o drivers/net/ethernet/mellanox/accelerator/* - NIC driver support, 
currently implemented as seperated modules.
  In the future this code will go into the mlx5 driver. We attached to this 
patch only the module that integrated with TLS layer.
  The complete NIC sample driver is available at 
https://github.com/Mellanox/tls-offload/tree/tx_rfc_v5

2) We implemented support for this API in OpenSSL 1.1.0, the code is available 
at https://github.com/Mellanox/tls-openssl/tree/master

3) TLS crypto offload was presented during netdevconf1.2, more details could be 
found in the presentation and paper:
   https://netdevconf.org/1.2/session.html?boris-pismenny

4) These RFC patches are based on kernel 4.9-rc7.

Aviad Yehezkel (5):
  tcp: export do_tcp_sendpages function
  tcp: export tcp_rate_check_app_limited function
  tcp: Add TLS socket options for TCP sockets
  tls: tls offload support
  mlx/tls: Enable MLX5_CORE_QP_SIM mode for tls

Dave Watson (2):
  crypto: Add gcm template for rfc5288
  crypto: rfc5288 aesni optimized intel routines

Ilya Lesokhin (8):
  tcp: Add clean acked data hook
  net: Add TLS offload netdevice and socket support
  mlx/mlx5_core: Allow sending multiple packets
  mlx/tls: Hardware interface
  mlx/tls: Sysfs configuration interface Configure the driver/hardware
interface via sysfs.
  mlx/tls: Add mlx_accel offload driver for TLS
  mlx/tls: TLS offload driver Add the main module entrypoints and tie
the module into the build system
  net/tls: Add software offload

 MAINTAINERS|  14 +
 arch/x86/crypto/aesni-intel_asm.S  |   6 +
 arch/x86/crypto/aesni-intel_avx-x86_64.S   |   4 +
 arch/x86/crypto/aesni-intel_glue.c | 105 ++-
 crypto/gcm.c   | 122 
 crypto/tcrypt.c|  14 +-
 crypto/testmgr.c   |  16 +
 crypto/testmgr.h   |  47 ++
 drivers/net/ethernet/mellanox/Kconfig  |   1 +
 drivers/net/ethernet/mellanox/Makefile |   1 +
 .../net/ethernet/mellanox/accelerator/tls/Kconfig  |  11 +
 .../net/ethernet/mellanox/accelerator/tls/Makefile |   4 +
 .../net/ethernet/mellanox/accelerator/tls/tls.c| 658

[RFC TLS Offload Support 05/15] tcp: Add TLS socket options for TCP sockets

2017-03-28 Thread Aviad Yehezkel 
This patch adds TLS_TX and TLS_RX TCP socket options.

Setting these socket options will change the sk->sk_prot
operations of the TCP socket. The user is responsible to
prevent races between calls to the previous operations
and the new operations. After successful return, data
sent on this socket will be encapsulated in TLS.

Signed-off-by: Aviad Yehezkel <avia...@mellanox.com>
Signed-off-by: Boris Pismenny <bor...@mellanox.com>
Signed-off-by: Ilya Lesokhin <il...@mellanox.com>
---
 include/uapi/linux/tcp.h |  2 ++
 net/ipv4/tcp.c   | 32 
 2 files changed, 34 insertions(+)

diff --git a/include/uapi/linux/tcp.h b/include/uapi/linux/tcp.h
index c53de26..f9f0e29 100644
--- a/include/uapi/linux/tcp.h
+++ b/include/uapi/linux/tcp.h
@@ -116,6 +116,8 @@ enum {
 #define TCP_SAVE_SYN   27  /* Record SYN headers for new 
connections */
 #define TCP_SAVED_SYN  28  /* Get SYN headers recorded for 
connection */
 #define TCP_REPAIR_WINDOW  29  /* Get/set window parameters */
+#define TCP_TLS_TX 30
+#define TCP_TLS_RX 31
 
 struct tcp_repair_opt {
__u32   opt_code;
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index 302fee9..2d190e3 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -273,6 +273,7 @@
 #include 
 #include 
 #include 
+#include 
 #include 
 #include 
 #include 
@@ -2676,6 +2677,21 @@ static int do_tcp_setsockopt(struct sock *sk, int level,
tp->notsent_lowat = val;
sk->sk_write_space(sk);
break;
+   case TCP_TLS_TX:
+   case TCP_TLS_RX: {
+   int (*fn)(struct sock *sk, int optname,
+ char __user *optval, unsigned int optlen);
+
+   fn = symbol_get(tls_sk_attach);
+   if (!fn) {
+   err = -EINVAL;
+   break;
+   }
+
+   err = fn(sk, optname, optval, optlen);
+   symbol_put(tls_sk_attach);
+   break;
+   }
default:
err = -ENOPROTOOPT;
break;
@@ -3064,6 +3080,22 @@ static int do_tcp_getsockopt(struct sock *sk, int level,
}
return 0;
}
+   case TCP_TLS_TX:
+   case TCP_TLS_RX: {
+   int err;
+   int (*fn)(struct sock *sk, int optname,
+ char __user *optval, int __user *optlen);
+
+   fn = symbol_get(tls_sk_query);
+   if (!fn) {
+   err = -EINVAL;
+   break;
+   }
+
+   err = fn(sk, optname, optval, optlen);
+   symbol_put(tls_sk_query);
+   return err;
+   }
default:
return -ENOPROTOOPT;
}
-- 
2.7.4