Revision tags: release/14.0.0 |
|
#
031beb4e |
| 16-Aug-2023 |
Warner Losh <imp@FreeBSD.org> |
sys: Remove $FreeBSD$: one-line sh pattern
Remove /^\s*#[#!]?\s*\$FreeBSD\$.*$\n/
|
Revision tags: release/13.2.0, release/12.4.0, release/13.1.0, release/12.3.0, release/13.0.0, release/12.2.0, release/11.4.0, release/12.1.0 |
|
#
22fc8564 |
| 10-Oct-2019 |
John Baldwin <jhb@FreeBSD.org> |
Add opt_kern_tls.h to the sources from t4_tom.ko.
Missed in r353328.
Sponsored by: Chelsio Communications
|
Revision tags: release/11.3.0, release/12.0.0, release/11.2.0 |
|
#
1e9538d2 |
| 14-Mar-2018 |
John Baldwin <jhb@FreeBSD.org> |
Support for TLS offload of TOE connections on T6 adapters.
The TOE engine in Chelsio T6 adapters supports offloading of TLS encryption and TCP segmentation for offloaded connections. Sockets using
Support for TLS offload of TOE connections on T6 adapters.
The TOE engine in Chelsio T6 adapters supports offloading of TLS encryption and TCP segmentation for offloaded connections. Sockets using TLS are required to use a set of custom socket options to upload RX and TX keys to the NIC and to enable RX processing. Currently these socket options are implemented as TCP options in the vendor specific range. A patched OpenSSL library will be made available in a port / package for use with the TLS TOE support.
TOE sockets can either offload both transmit and reception of TLS records or just transmit. TLS offload (both RX and TX) is enabled by setting the dev.t6nex.<x>.tls sysctl to 1 and requires TOE to be enabled on the relevant interface. Transmit offload can be used on any "normal" or TLS TOE socket by using the custom socket option to program a transmit key. This permits most TOE sockets to transparently offload TLS when applications use a patched SSL library (e.g. using LD_LIBRARY_PATH to request use of a patched OpenSSL library). Receive offload can only be used with TOE sockets using the TLS mode. The dev.t6nex.0.toe.tls_rx_ports sysctl can be set to a list of TCP port numbers. Any connection with either a local or remote port number in that list will be created as a TLS socket rather than a plain TOE socket. Note that although this sysctl accepts an arbitrary list of port numbers, the sysctl(8) tool is only able to set sysctl nodes to a single value. A TLS socket will hang without receiving data if used by an application that is not using a patched SSL library. Thus, the tls_rx_ports node should be used with care. For a server mostly concerned with offloading TLS transmit, this node is not needed as plain TOE sockets will fall back to software crypto when using an unpatched SSL library.
New per-interface statistics nodes are added giving counts of TLS packets and payload bytes (payload bytes do not include TLS headers or authentication tags/MACs) offloaded via the TOE engine, e.g.:
dev.cc.0.stats.rx_tls_octets: 149 dev.cc.0.stats.rx_tls_records: 13 dev.cc.0.stats.tx_tls_octets: 26501823 dev.cc.0.stats.tx_tls_records: 1620
TLS transmit work requests are constructed by a new variant of t4_push_frames() called t4_push_tls_records() in tom/t4_tls.c.
TLS transmit work requests require a buffer containing IVs. If the IVs are too large to fit into the work request, a separate buffer is allocated when constructing a work request. This buffer is associated with the transmit descriptor and freed when the descriptor is ACKed by the adapter.
Received TLS frames use two new CPL messages. The first message is a CPL_TLS_DATA containing the decryped payload of a single TLS record. The handler places the mbuf containing the received payload on an mbufq in the TOE pcb. The second message is a CPL_RX_TLS_CMP message which includes a copy of the TLS header and indicates if there were any errors. The handler for this message places the TLS header into the socket buffer followed by the saved mbuf with the payload data. Both of these handlers are contained in tom/t4_tls.c.
A few routines were exposed from t4_cpl_io.c for use by t4_tls.c including send_rx_credits(), a new send_rx_modulate(), and t4_close_conn().
TLS keys for both transmit and receive are stored in onboard memory in the NIC in the "TLS keys" memory region.
In some cases a TLS socket can hang with pending data available in the NIC that is not delivered to the host. As a workaround, TLS sockets are more aggressive about sending CPL_RX_DATA_ACK messages anytime that any data is read from a TLS socket. In addition, a fallback timer will periodically send CPL_RX_DATA_ACK messages to the NIC for connections that are still in the handshake phase. Once the connection has finished the handshake and programmed RX keys via the socket option, the timer is stopped.
A new function select_ulp_mode() is used to determine what sub-mode a given TOE socket should use (plain TOE, DDP, or TLS). The existing set_tcpddp_ulp_mode() function has been renamed to set_ulp_mode() and handles initialization of TLS-specific state when necessary in addition to DDP-specific state.
Since TLS sockets do not receive individual TCP segments but always receive full TLS records, they can receive more data than is available in the current window (e.g. if a 16k TLS record is received but the socket buffer is itself 16k). To cope with this, just drop the window to 0 when this happens, but track the overage and "eat" the overage as it is read from the socket buffer not opening the window (or adding rx_credits) for the overage bytes.
Reviewed by: np (earlier version) Sponsored by: Chelsio Communications Differential Revision: https://reviews.freebsd.org/D14529
show more ...
|
Revision tags: release/10.4.0, release/11.1.0 |
|
#
7e1b7636 |
| 08-May-2017 |
Dimitry Andric <dim@FreeBSD.org> |
Merge ^/head r317808 through r317970.
|
#
67904997 |
| 05-May-2017 |
Navdeep Parhar <np@FreeBSD.org> |
cxgbe/t4_tom: Per-connection rate limiting for TCP sockets handled by the TOE. For now this capability is always enabled in kernels with options RATELIMIT. t4_tom will check if_capenable once the b
cxgbe/t4_tom: Per-connection rate limiting for TCP sockets handled by the TOE. For now this capability is always enabled in kernels with options RATELIMIT. t4_tom will check if_capenable once the base driver gets code to support rate limiting for any socket (TOE or not).
This was tested with iperf3 and netperf ToT as they already support SO_MAX_PACING_RATE sockopt. There is a bug in firmwares prior to 1.16.45.0 that affects the BSD driver only and results in rate-limiting at an incorrect rate. This will resolve by itself as soon as 1.16.45.0 or later firmware shows up in the driver.
Relnotes: Yes Sponsored by: Chelsio Communications
show more ...
|
#
193d9e76 |
| 04-Mar-2017 |
Enji Cooper <ngie@FreeBSD.org> |
sys/modules: normalize .CURDIR-relative paths to SRCTOP
This simplifies make output/logic
Tested with: `cd sys/modules; make ALL_MODULES=` on amd64 MFC after: 1 month Sponsored by: Dell EMC Isilon
|
Revision tags: release/11.0.1, release/11.0.0, release/10.3.0, release/10.2.0 |
|
#
9268022b |
| 19-Nov-2014 |
Simon J. Gerraty <sjg@FreeBSD.org> |
Merge from head@274682
|
Revision tags: release/10.1.0 |
|
#
246e7a2b |
| 02-Sep-2014 |
Neel Natu <neel@FreeBSD.org> |
IFC @r269962
Submitted by: Anish Gupta (akgupt3@gmail.com)
|
#
1b833d53 |
| 13-Aug-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Sync to HEAD@r269943.
|
#
aeaed508 |
| 05-Aug-2014 |
Warner Losh <imp@FreeBSD.org> |
Move most of the 15 variations on generating opt_inet.h and opt_inet6.h into kmod.mk by forcing almost everybody to eat the same dogfood. While at it, consolidate the opt_bpf.h and opt_mroute.h targe
Move most of the 15 variations on generating opt_inet.h and opt_inet6.h into kmod.mk by forcing almost everybody to eat the same dogfood. While at it, consolidate the opt_bpf.h and opt_mroute.h targets here too.
show more ...
|
#
21b787b8 |
| 01-Aug-2014 |
Navdeep Parhar <np@FreeBSD.org> |
List one file per line in the Makefiles. This makes it easier to read diffs when a file is added or removed.
MFC after: 2 weeks
|
#
88998d7a |
| 01-Aug-2014 |
Navdeep Parhar <np@FreeBSD.org> |
Improve compliance with style.Makefile(5).
MFC after: 2 weeks
|
Revision tags: release/9.3.0 |
|
#
6cec9cad |
| 03-Jun-2014 |
Peter Grehan <grehan@FreeBSD.org> |
MFC @ r266724
An SVM update will follow this.
|
#
414fdaf0 |
| 21-May-2014 |
Alan Somers <asomers@FreeBSD.org> |
IFC @266473
|
#
cc3f4b99 |
| 09-May-2014 |
Simon J. Gerraty <sjg@FreeBSD.org> |
Merge from head
|
#
c6063d0d |
| 06-May-2014 |
Warner Losh <imp@FreeBSD.org> |
Use src.opts.mk in preference to bsd.own.mk except where we need stuff from the latter.
|
Revision tags: release/10.0.0, release/9.2.0 |
|
#
cfe30d02 |
| 19-Jun-2013 |
Gleb Smirnoff <glebius@FreeBSD.org> |
Merge fresh head.
|
Revision tags: release/8.4.0 |
|
#
d241a0e6 |
| 26-Feb-2013 |
Xin LI <delphij@FreeBSD.org> |
IFC @247348.
|
#
d9a44755 |
| 08-Feb-2013 |
David E. O'Brien <obrien@FreeBSD.org> |
Sync with HEAD.
|
#
c2217b98 |
| 17-Jan-2013 |
Neel Natu <neel@FreeBSD.org> |
IFC @ r245509
|
#
0a0a697c |
| 14-Jan-2013 |
Navdeep Parhar <np@FreeBSD.org> |
cxgbe(4): Updates to the hardware L2 table management code.
- Add full support for IPv6 addresses.
- Read the size of the L2 table during attach. Do not assume that PCIe physical function 4 of t
cxgbe(4): Updates to the hardware L2 table management code.
- Add full support for IPv6 addresses.
- Read the size of the L2 table during attach. Do not assume that PCIe physical function 4 of the card has all of the table to itself.
- Use FNV instead of Jenkins to hash L3 addresses and drop the private copy of jhash.h from the driver.
MFC after: 1 week
show more ...
|
Revision tags: release/9.1.0 |
|
#
e477abf7 |
| 27-Nov-2012 |
Alexander Motin <mav@FreeBSD.org> |
MFC @ r241285
|
#
a10c6f55 |
| 11-Nov-2012 |
Neel Natu <neel@FreeBSD.org> |
IFC @ r242684
|
#
23090366 |
| 04-Nov-2012 |
Simon J. Gerraty <sjg@FreeBSD.org> |
Sync from head
|
#
24bf3585 |
| 04-Sep-2012 |
Gleb Smirnoff <glebius@FreeBSD.org> |
Merge head r233826 through r240095.
|