Changes in Kconfig

da89f2e3121531804f45abd33db05b432e42606c - tls: don't select STREAM_PARSER

Thu, 26 Feb 2026 15:26:27 +0100

tls: don't select STREAM_PARSERktls was converted to its own stream parser in commit84c61fe1a75b ("tls: rx: do not use the standard strparser"), but theKconfig dependency was left. The only part of the original strparserthat's shared with ktls are a few structs (strp_msg, sk_skb_cb) andthe strp_msg helper, those don't require building the net/strparsercode.Signed-off-by: Sabrina Dubroca Link: https://patch.msgid.link/cb41e513a30eeaac0b419284cc87433f049b2ee0.1771871995.git.sd@queasysnail.netSigned-off-by: Jakub Kicinski List of files: /linux/net/tls/Kconfig

9f06f87fef689d28588cde8c7ebb00a67da34026 - net: skbuff: generalize the skb->decrypted bit

Wed, 03 Apr 2024 22:21:39 +0200

net: skbuff: generalize the skb->decrypted bitThe ->decrypted bit can be reused for other crypto protocols.Remove the direct dependency on TLS, add helpers to clean upthe ifdefs leaking out everywhere.Signed-off-by: Jakub Kicinski Reviewed-by: David Ahern Signed-off-by: David S. Miller List of files: /linux/net/tls/Kconfig

76f165939ea3e765ebf900ae840135041f9abcbb - net/tls: Select SOCK_RX_QUEUE_MAPPING from TLS_DEVICE

Thu, 11 Feb 2021 12:35:52 +0100

net/tls: Select SOCK_RX_QUEUE_MAPPING from TLS_DEVICECompile-in the socket RX queue mapping field and logic when TLS_DEVICEis enabled. This allows device drivers to pick the recorded socket'sRX queue and use it for streams distribution.Signed-off-by: Tariq Toukan Reviewed-by: Maxim Mikityanskiy Signed-off-by: David S. Miller List of files: /linux/net/tls/Kconfig

a7f7f6248d9740d710fd6bd190293fe5e16410ac - treewide: replace '---help---' in Kconfig files with 'help'

Sat, 13 Jun 2020 18:50:22 +0200

treewide: replace '---help---' in Kconfig files with 'help'Since commit 84af7a6194e4 ("checkpatch: kconfig: prefer 'help' over'---help---'"), the number of '---help---' has been graduallydecreasing, but there are still more than 2400 instances.This commit finishes the conversion. While I touched the lines,I also fixed the indentation.There are a variety of indentation styles found. a) 4 spaces + '---help---' b) 7 spaces + '---help---' c) 8 spaces + '---help---' d) 1 space + 1 tab + '---help---' e) 1 tab + '---help---' (correct indentation) f) 1 tab + 1 space + '---help---' g) 1 tab + 2 spaces + '---help---'In order to convert all of them to 1 tab + 'help', I ran thefollowing commend: $ find . -name 'Kconfig*' | xargs sed -i 's/^[[:space:]]*---help---/\thelp/'Signed-off-by: Masahiro Yamada List of files: /linux/net/tls/Kconfig

53b4414a7003099f41ab61ef9a452804c025e2c1 - net/tls: allow compiling TLS TOE out

Thu, 03 Oct 2019 20:18:59 +0200

net/tls: allow compiling TLS TOE outTLS "record layer offload" requires TOE, and bypasses most ofthe normal networking stack. It is also significantly lessmaintained. Allow users to compile it out to avoid issues.Signed-off-by: Jakub Kicinski Reviewed-by: John Hurley Reviewed-by: Simon Horman Signed-off-by: David S. Miller List of files: /linux/net/tls/Kconfig

ec8f24b7faaf3d4799a7c3f4c1b87f6b02778ad1 - treewide: Add SPDX license identifier - Makefile/Kconfig

Sun, 19 May 2019 14:07:45 +0200

treewide: Add SPDX license identifier - Makefile/KconfigAdd SPDX license identifiers to all Make/Kconfig files which: - Have no license information of any formThese files fall under the project license, GPL v2 only. The resulting SPDXlicense identifier is: GPL-2.0-onlySigned-off-by: Thomas Gleixner Signed-off-by: Greg Kroah-Hartman List of files: /linux/net/tls/Kconfig

d829e9c4112b52f4f00195900fd4c685f61365ab - tls: convert to generic sk_msg interface

Sat, 13 Oct 2018 02:45:59 +0200

tls: convert to generic sk_msg interfaceConvert kTLS over to make use of sk_msg interface for plaintext andencrypted scattergather data, so it reuses all the sk_msg helpersand data structure which later on in a second step enables to gluethis to BPF.This also allows to remove quite a bit of open coded helpers whichare covered by the sk_msg API. Recent changes in kTLs 80ece6a03aaf("tls: Remove redundant vars from tls record structure") and4e6d47206c32 ("tls: Add support for inplace records encryption")changed the data path handling a bit; while we've kept the latteroptimization intact, we had to undo the former change to betterfit the sk_msg model, hence the sg_aead_in and sg_aead_out havebeen brought back and are linked into the sk_msg sgs. Now the kTLSrecord contains a msg_plaintext and msg_encrypted sk_msg each.In the original code, the zerocopy_from_iter() has been used outof TX but also RX path. For the strparser skb-based RX path,we've left the zerocopy_from_iter() in decrypt_internal() mostlyuntouched, meaning it has been moved into tls_setup_from_iter()with charging logic removed (as not used from RX). Given RX pathis not based on sk_msg objects, we haven't pursued setting up adummy sk_msg to call into sk_msg_zerocopy_from_iter(), but itcould be an option to prusue in a later step.Joint work with John.Signed-off-by: Daniel Borkmann Signed-off-by: John Fastabend Signed-off-by: Alexei Starovoitov List of files: /linux/net/tls/Kconfig

e8f69799810c32dd40c6724d829eccc70baad07f - net/tls: Add generic NIC offload infrastructure

Mon, 30 Apr 2018 09:16:16 +0200

net/tls: Add generic NIC offload infrastructureThis patch adds a generic infrastructure to offload TLS crypto to anetwork device. It enables the kernel TLS socket to skip encryptionand authentication operations on the transmit side of the data path.Leaving those computationally expensive operations to the NIC.The NIC offload infrastructure builds TLS records and pushes them tothe TCP layer just like the SW KTLS implementation and using the sameAPI.TCP segmentation is mostly unaffected. Currently the only exception isthat we prevent mixed SKBs where only part of the payload requiresoffload. In the future we are likely to add a similar restrictionfollowing a change cipher spec record.The notable differences between SW KTLS and NIC offloaded TLSimplementations are as follows:1. The offloaded implementation builds "plaintext TLS record", thoserecords contain plaintext instead of ciphertext and place holder bytesinstead of authentication tags.2. The offloaded implementation maintains a mapping from TCP sequencenumber to TLS records. Thus given a TCP SKB sent from a NIC offloadedTLS socket, we can use the tls NIC offload infrastructure to obtainenough context to encrypt the payload of the SKB.A TLS record is released when the last byte of the record is ack'ed,this is done through the new icsk_clean_acked callback.The infrastructure should be extendable to support various NIC offloadimplementations. However it is currently written with theimplementation below in mind:The NIC assumes that packets from each offloaded stream are sent asplaintext and in-order. It keeps track of the TLS records in the TCPstream. When a packet marked for offload is transmitted, the NICencrypts the payload in-place and puts authentication tags in therelevant place holders.The responsibility for handling out-of-order packets (i.e. TCPretransmission, qdisc drops) falls on the netdev driver.The netdev driver keeps track of the expected TCP SN from the NIC'sperspective. If the next packet to transmit matches the expected TCPSN, the driver advances the expected TCP SN, and transmits the packetwith TLS offload indication.If the next packet to transmit does not match the expected TCP SN. Thedriver calls the TLS layer to obtain the TLS record that includes theTCP of the packet for transmission. Using this TLS record, the driverposts a work entry on the transmit queue to reconstruct the NIC TLSstate required for the offload of the out-of-order packet. It updatesthe expected TCP SN accordingly and transmits the now in-order packet.The same queue is used for packet transmission and TLS contextreconstruction to avoid the need for flushing the transmit queue beforeissuing the context reconstruction request.Signed-off-by: Ilya Lesokhin Signed-off-by: Boris Pismenny Signed-off-by: Aviad Yehezkel Signed-off-by: David S. Miller List of files: /linux/net/tls/Kconfig

c46234ebb4d1eee5e09819f49169e51cfc6eb909 - tls: RX path for ktls

Thu, 22 Mar 2018 18:10:35 +0100

tls: RX path for ktlsAdd rx path for tls software implementation.recvmsg, splice_read, and poll implemented.An additional sockopt TLS_RX is added, with the same interface asTLS_TX. Either TLX_RX or TLX_TX may be provided separately, ortogether (with two different setsockopt calls with appropriate keys).Control messages are passed via CMSG in a similar way to transmit.If no cmsg buffer is passed, then only application data recordswill be passed to userspace, and EIO is returned for other types ofalerts.EBADMSG is passed for decryption errors, and EMSGSIZE is passed forframing too big, and EBADMSG for framing too small (matching opensslsemantics). EINVAL is returned for TLS versions that do not match theoriginal setsockopt call. All are unrecoverable.strparser is used to parse TLS framing. Decryption is done directlyin to userspace buffers if they are large enough to support it, otherwisesk_cow_data is called (similar to ipsec), and buffers are decrypted inplace and copied. splice_read always decrypts in place, since nobuffers are provided to decrypt in to.sk_poll is overridden, and only returns POLLIN if a full TLS message isreceived. Otherwise we wait for strparser to finish reading a full frame.Actual decryption is only done during recvmsg or splice_read calls.Signed-off-by: Dave Watson Signed-off-by: David S. Miller List of files: /linux/net/tls/Kconfig

d807ec656f868c1800e38cefa98be3ec680f6a1f - tls: update Kconfig

Sat, 17 Jun 2017 17:25:13 +0200

tls: update KconfigMissing crypto deps for some platforms.Default to n for new module.config: m68k-amcore_defconfig (attached as .config)compiler: m68k-linux-gcc (GCC) 4.9.0make.cross ARCH=m68kAll errors (new ones prefixed by >>): net/built-in.o: In function `tls_set_sw_offload':>> (.text+0x732f8): undefined reference to `crypto_alloc_aead' net/built-in.o: In function `tls_set_sw_offload':>> (.text+0x7333c): undefined reference to `crypto_aead_setkey' net/built-in.o: In function `tls_set_sw_offload':>> (.text+0x73354): undefined reference to `crypto_aead_setauthsize'Reported-by: kbuild test robot Signed-off-by: Dave Watson Signed-off-by: David S. Miller List of files: /linux/net/tls/Kconfig

54144b4825ea7790cbc32a0f75a1103a97907646 - tls: Depend upon INET not plain NET.

Fri, 16 Jun 2017 17:28:49 +0200

tls: Depend upon INET not plain NET.We refer to TCP et al. symbols so have to use INET asthe dependency. ERROR: "tcp_prot" [net/tls/tls.ko] undefined!>> ERROR: "tcp_rate_check_app_limited" [net/tls/tls.ko] undefined! ERROR: "tcp_register_ulp" [net/tls/tls.ko] undefined! ERROR: "tcp_unregister_ulp" [net/tls/tls.ko] undefined! ERROR: "do_tcp_sendpages" [net/tls/tls.ko] undefined!Reported-by: kbuild test robot Signed-off-by: David S. Miller List of files: /linux/net/tls/Kconfig

3c4d7559159bfe1e3b94df3a657b2cda3a34e218 - tls: kernel TLS support

Wed, 14 Jun 2017 20:37:39 +0200

tls: kernel TLS supportSoftware implementation of transport layer security, implemented using ULPinfrastructure. tcp proto_ops are replaced with tls equivalents of sendmsg andsendpage.Only symmetric crypto is done in the kernel, keys are passed by setsockoptafter the handshake is complete. All control messages are supported via CMSGdata - the actual symmetric encryption is the same, just the message type needsto be passed separately.For user API, please see Documentation patch.Pieces that can be shared between hw and sw implementationare in tls_main.cSigned-off-by: Boris Pismenny Signed-off-by: Ilya Lesokhin Signed-off-by: Aviad Yehezkel Signed-off-by: Dave Watson Signed-off-by: David S. Miller List of files: /linux/net/tls/Kconfig