tls-offload.rst - OpenGrok cross reference for /kernel/linux/linux-5.10/Documentation/networking/tls-offload.rst

Lines Matching +full:stream +full:- +full:mode +full:- +full:support
1 .. SPDX-License-Identifier: (GPL-2.0-only OR BSD-2-Clause)
13 For details regarding the user-facing interface refer to the TLS
18  * Software crypto mode (``TLS_SW``) - CPU handles the cryptography.
24  * Packet-based NIC offload mode (``TLS_HW``) - the NIC handles crypto
26    This mode integrates best with the kernel stack and is described in detail
28    (``ethtool`` flags ``tls-hw-tx-offload`` and ``tls-hw-rx-offload``).
29  * Full TCP NIC offload mode (``TLS_HW_RECORD``) - mode of operation where
33    abilities or QoS and packet scheduling (``ethtool`` flag ``tls-hw-record``).
35 The operation mode is selected automatically based on device configuration,
36 offload opt-in or opt-out on per-connection basis is not currently supported.
39 --
43 mode) and then hands the modified scatter list to the TCP layer. From this
46 In ``TLS_HW`` mode the encryption is not performed in the TLS ULP.
52 --
63 .. kernel-figure::  tls-offload-layers.svg
82 network device is offload-capable and attempts the offload. In case offload
89 .. code-block:: c
98 to retrieve the connection 5-tuple and socket family (IPv4 vs IPv6).
108 --
111 of the stream will start exactly at the ``start_offload_tcp_sn`` sequence
121 --
141 to be possible device has to keep small amount of segment-to-segment state.
154 --
163 a connection identifier (note that a 5-tuple lookup is insufficient to identify
171 --
175 checksum and performs a 5-tuple lookup to find any TLS connection the packet
176 may belong to (technically a 4-tuple
177 lookup is sufficient - IP addresses and TCP port numbers, as the protocol
182 Device indicates successful handling of TLS offload in the per-packet context
188 and non-decrypted segments do not get coalesced (e.g. by GRO or socket layer)
195 synchronization with the TLS stream, and require a resync with the kernel's
199 added to the device table and are in TLS_HW mode. For example,
205 --
208 in similar ways to the receive side-retransmissions - local drops
224 In this mode depending on the implementation the driver can either ask
227 with the previous stream state - assuming that the out of order segment
244 .. code-block:: c
252 .. code-block:: c
262 --
268 .. kernel-figure::  tls-offload-reorder-good.svg
269    :alt:	reorder of non-header segment
272    Reorder of non-header segment
293 .. kernel-figure::  tls-offload-reorder-bad.svg
302 the device will lose synchronization with the stream.
304 Stream scan resynchronization
307 When the device gets out of sync and the stream reaches TCP sequence
322 and counting all records since the just-confirmed one, it adds the number
330 restart scan. Given how unlikely falsely-matching stream is, however,
334 asynchronously to the packet stream and record may get processed
337 Stack-driven resynchronization
342 If the connection is configured in this mode the stack automatically
357 --
373 --
387 The Linux networking stack does not provide a way of reporting per-packet
408 --------------------
410 The number of connections device can support can be exposed via
414 -------------------------------
419 significant performance impact on non-offloaded streams.
424 Following minimum set of TLS-related statistics should be reported
427  * ``rx_tls_decrypted_packets`` - number of successfully decrypted RX packets
428    which were part of a TLS stream.
429  * ``rx_tls_decrypted_bytes`` - number of TLS payload bytes in RX packets
431  * ``rx_tls_ctx`` - number of TLS RX HW offload contexts added to device for
433  * ``rx_tls_del`` - number of TLS RX HW offload contexts deleted from device
435  * ``rx_tls_resync_req_pkt`` - number of received TLS packets with a resync
437  * ``rx_tls_resync_req_start`` - number of times the TLS async resync request
439  * ``rx_tls_resync_req_end`` - number of times the TLS async resync request
440     properly ended with providing the HW tracked tcp-seq.
441  * ``rx_tls_resync_req_skip`` - number of times the TLS async resync request
443  * ``rx_tls_resync_res_ok`` - number of times the TLS resync response call to
445  * ``rx_tls_resync_res_skip`` - number of times the TLS resync response call to
447  * ``rx_tls_err`` - number of RX packets which were part of a TLS stream
449  * ``tx_tls_encrypted_packets`` - number of TX packets passed to the device
451  * ``tx_tls_encrypted_bytes`` - number of TLS payload bytes in TX packets
453  * ``tx_tls_ctx`` - number of TLS TX HW offload contexts added to device for
455  * ``tx_tls_ooo`` - number of TX packets which were part of a TLS stream
457  * ``tx_tls_skip_no_sync_data`` - number of TX packets which were part of
458    a TLS stream and arrived out-of-order, but skipped the HW offload routine
461  * ``tx_tls_drop_no_sync_data`` - number of TX packets which were part of
462    a TLS stream dropped, because they arrived out of order and associated
464  * ``tx_tls_drop_bypass_req`` - number of TX packets which were part of a TLS
465    stream dropped, because they contain both data that has been encrypted by
473 5-tuple matching limitations
474 ----------------------------
476 The device can only recognize received packets based on the 5-tuple
481 any intermediate software device, therefore a 5-tuple match may
487 ------------
494 ---------------
501 -----------------------------------------------------
503 Offloaded ``ktls`` sockets should support standard TCP stack features
508 ----------------------------
517 -------------
525 -------------------