€•‹w      Œsphinx.addnodes”Œdocument”“”)”}”(Œ	rawsource”Œ ”Œchildren”]”(Œtranslations”ŒLanguagesNode”“”)”}”(hhh]”(h Œpending_xref”“”)”}”(hhh]”Œdocutils.nodes”ŒText”“”ŒChinese (Simplified)”…””}”Œparent”hsbaŒ
attributes”}”(Œids”]”Œclasses”]”Œnames”]”Œdupnames”]”Œbackrefs”]”Œ	refdomain”Œstd”Œreftype”Œdoc”Œ	reftarget”Œ//translations/zh_CN/networking/xfrm/xfrm_device”Œmodname”NŒ	classname”NŒrefexplicit”ˆuŒtagname”hhhubh)”}”(hhh]”hŒChinese (Traditional)”…””}”hh2sbah}”(h]”h ]”h"]”h$]”h&]”Œ	refdomain”h)Œreftype”h+Œ	reftarget”Œ//translations/zh_TW/networking/xfrm/xfrm_device”Œmodname”NŒ	classname”NŒrefexplicit”ˆuh1hhhubh)”}”(hhh]”hŒItalian”…””}”hhFsbah}”(h]”h ]”h"]”h$]”h&]”Œ	refdomain”h)Œreftype”h+Œ	reftarget”Œ//translations/it_IT/networking/xfrm/xfrm_device”Œmodname”NŒ	classname”NŒrefexplicit”ˆuh1hhhubh)”}”(hhh]”hŒJapanese”…””}”hhZsbah}”(h]”h ]”h"]”h$]”h&]”Œ	refdomain”h)Œreftype”h+Œ	reftarget”Œ//translations/ja_JP/networking/xfrm/xfrm_device”Œmodname”NŒ	classname”NŒrefexplicit”ˆuh1hhhubh)”}”(hhh]”hŒKorean”…””}”hhnsbah}”(h]”h ]”h"]”h$]”h&]”Œ	refdomain”h)Œreftype”h+Œ	reftarget”Œ//translations/ko_KR/networking/xfrm/xfrm_device”Œmodname”NŒ	classname”NŒrefexplicit”ˆuh1hhhubh)”}”(hhh]”hŒSpanish”…””}”hh‚sbah}”(h]”h ]”h"]”h$]”h&]”Œ	refdomain”h)Œreftype”h+Œ	reftarget”Œ//translations/sp_SP/networking/xfrm/xfrm_device”Œmodname”NŒ	classname”NŒrefexplicit”ˆuh1hhhubeh}”(h]”h ]”h"]”h$]”h&]”Œcurrent_language”ŒEnglish”uh1h
hhŒ	_document”hŒsource”NŒline”NubhŒcomment”“”)”}”(hŒ SPDX-License-Identifier: GPL-2.0”h]”hŒ SPDX-License-Identifier: GPL-2.0”…””}”hh£sbah}”(h]”h ]”h"]”h$]”h&]”Œ	xml:space”Œpreserve”uh1h¡hhhžhhŸŒI/var/lib/git/docbuild/linux/Documentation/networking/xfrm/xfrm_device.rst”h KubhŒtarget”“”)”}”(hŒ.. _xfrm_device:”h]”h}”(h]”h ]”h"]”h$]”h&]”Œrefid”Œxfrm-device”uh1h´h KhhhžhhŸh³ubhŒsection”“”)”}”(hhh]”(hŒtitle”“”)”}”(hŒ/XFRM device - offloading the IPsec computations”h]”hŒ/XFRM device - offloading the IPsec computations”…””}”(hhÉhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÇhhÄhžhhŸh³h KubhŒ	paragraph”“”)”}”(hŒNShannon Nelson <shannon.nelson@oracle.com>
Leon Romanovsky <leonro@nvidia.com>”h]”(hŒShannon Nelson <”…””}”(hhÙhžhhŸNh NubhŒ	reference”“”)”}”(hŒshannon.nelson@oracle.com”h]”hŒshannon.nelson@oracle.com”…””}”(hhãhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”Œrefuri”Œ mailto:shannon.nelson@oracle.com”uh1háhhÙubhŒ>
Leon Romanovsky <”…””}”(hhÙhžhhŸNh Nubhâ)”}”(hŒleonro@nvidia.com”h]”hŒleonro@nvidia.com”…””}”(hh÷hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”Œrefuri”Œmailto:leonro@nvidia.com”uh1háhhÙubhŒ>”…””}”(hhÙhžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h KhhÄhžhubhÃ)”}”(hhh]”(hÈ)”}”(hŒOverview”h]”hŒOverview”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÇhj  hžhhŸh³h KubhØ)”}”(hX±  IPsec is a useful feature for securing network traffic, but the
computational cost is high: a 10Gbps link can easily be brought down
to under 1Gbps, depending on the traffic and link configuration.
Luckily, there are NICs that offer a hardware based IPsec offload which
can radically increase throughput and decrease CPU utilization.  The XFRM
Device interface allows NIC drivers to offer to the stack access to the
hardware offload.”h]”hX±  IPsec is a useful feature for securing network traffic, but the
computational cost is high: a 10Gbps link can easily be brought down
to under 1Gbps, depending on the traffic and link configuration.
Luckily, there are NICs that offer a hardware based IPsec offload which
can radically increase throughput and decrease CPU utilization.  The XFRM
Device interface allows NIC drivers to offer to the stack access to the
hardware offload.”…””}”(hj"  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h Khj  hžhubhØ)”}”(hŒHRight now, there are two types of hardware offload that kernel supports:”h]”hŒHRight now, there are two types of hardware offload that kernel supports:”…””}”(hj0  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h Khj  hžhubhŒblock_quote”“”)”}”(hX0  * IPsec crypto offload:

  * NIC performs encrypt/decrypt
  * Kernel does everything else

* IPsec packet offload:

  * NIC performs encrypt/decrypt
  * NIC does encapsulation
  * Kernel and NIC have SA and policy in-sync
  * NIC handles the SA and policies states
  * The Kernel talks to the keymanager
”h]”hŒbullet_list”“”)”}”(hhh]”(hŒ	list_item”“”)”}”(hŒTIPsec crypto offload:

* NIC performs encrypt/decrypt
* Kernel does everything else
”h]”(hØ)”}”(hŒIPsec crypto offload:”h]”hŒIPsec crypto offload:”…””}”(hjO  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h KhjK  ubjE  )”}”(hhh]”(jJ  )”}”(hŒNIC performs encrypt/decrypt”h]”hØ)”}”(hjb  h]”hŒNIC performs encrypt/decrypt”…””}”(hjd  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h Khj`  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jI  hj]  ubjJ  )”}”(hŒKernel does everything else
”h]”hØ)”}”(hŒKernel does everything else”h]”hŒKernel does everything else”…””}”(hj{  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h Khjw  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jI  hj]  ubeh}”(h]”h ]”h"]”h$]”h&]”Œbullet”Œ*”uh1jD  hŸh³h KhjK  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1jI  hjF  ubjJ  )”}”(hŒÉIPsec packet offload:

* NIC performs encrypt/decrypt
* NIC does encapsulation
* Kernel and NIC have SA and policy in-sync
* NIC handles the SA and policies states
* The Kernel talks to the keymanager
”h]”(hØ)”}”(hŒIPsec packet offload:”h]”hŒIPsec packet offload:”…””}”(hj¡  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h Khj  ubjE  )”}”(hhh]”(jJ  )”}”(hŒNIC performs encrypt/decrypt”h]”hØ)”}”(hj´  h]”hŒNIC performs encrypt/decrypt”…””}”(hj¶  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h K hj²  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jI  hj¯  ubjJ  )”}”(hŒNIC does encapsulation”h]”hØ)”}”(hjË  h]”hŒNIC does encapsulation”…””}”(hjÍ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h K!hjÉ  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jI  hj¯  ubjJ  )”}”(hŒ)Kernel and NIC have SA and policy in-sync”h]”hØ)”}”(hjâ  h]”hŒ)Kernel and NIC have SA and policy in-sync”…””}”(hjä  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h K"hjà  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jI  hj¯  ubjJ  )”}”(hŒ&NIC handles the SA and policies states”h]”hØ)”}”(hjù  h]”hŒ&NIC handles the SA and policies states”…””}”(hjû  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h K#hj÷  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jI  hj¯  ubjJ  )”}”(hŒ#The Kernel talks to the keymanager
”h]”hØ)”}”(hŒ"The Kernel talks to the keymanager”h]”hŒ"The Kernel talks to the keymanager”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h K$hj  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jI  hj¯  ubeh}”(h]”h ]”h"]”h$]”h&]”j•  j–  uh1jD  hŸh³h K hj  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1jI  hjF  ubeh}”(h]”h ]”h"]”h$]”h&]”j•  j–  uh1jD  hŸh³h Khj@  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j>  hŸh³h Khj  hžhubhØ)”}”(hŒïUserland access to the offload is typically through a system such as
libreswan or KAME/raccoon, but the iproute2 'ip xfrm' command set can
be handy when experimenting.  An example command might look something
like this for crypto offload::”h]”hŒòUserland access to the offload is typically through a system such as
libreswan or KAME/raccoon, but the iproute2 â€˜ip xfrmâ€™ command set can
be handy when experimenting.  An example command might look something
like this for crypto offload:”…””}”(hj>  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h K&hj  hžhubhŒliteral_block”“”)”}”(hX  ip x s add proto esp dst 14.0.0.70 src 14.0.0.52 spi 0x07 mode transport \
   reqid 0x07 replay-window 32 \
   aead 'rfc4106(gcm(aes))' 0x44434241343332312423222114131211f4f3f2f1 128 \
   sel src 14.0.0.52/24 dst 14.0.0.70/24 proto tcp \
   offload dev eth4 dir in”h]”hX  ip x s add proto esp dst 14.0.0.70 src 14.0.0.52 spi 0x07 mode transport \
   reqid 0x07 replay-window 32 \
   aead 'rfc4106(gcm(aes))' 0x44434241343332312423222114131211f4f3f2f1 128 \
   sel src 14.0.0.52/24 dst 14.0.0.70/24 proto tcp \
   offload dev eth4 dir in”…””}”hjN  sbah}”(h]”h ]”h"]”h$]”h&]”h±h²uh1jL  hŸh³h K+hj  hžhubhØ)”}”(hŒand for packet offload::”h]”hŒand for packet offload:”…””}”(hj\  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h K1hj  hžhubjM  )”}”(hXœ  ip x s add proto esp dst 14.0.0.70 src 14.0.0.52 spi 0x07 mode transport \
   reqid 0x07 replay-window 32 \
   aead 'rfc4106(gcm(aes))' 0x44434241343332312423222114131211f4f3f2f1 128 \
   sel src 14.0.0.52/24 dst 14.0.0.70/24 proto tcp \
   offload packet dev eth4 dir in

ip x p add src 14.0.0.70 dst 14.0.0.52 offload packet dev eth4 dir in
tmpl src 14.0.0.70 dst 14.0.0.52 proto esp reqid 10000 mode transport”h]”hXœ  ip x s add proto esp dst 14.0.0.70 src 14.0.0.52 spi 0x07 mode transport \
   reqid 0x07 replay-window 32 \
   aead 'rfc4106(gcm(aes))' 0x44434241343332312423222114131211f4f3f2f1 128 \
   sel src 14.0.0.52/24 dst 14.0.0.70/24 proto tcp \
   offload packet dev eth4 dir in

ip x p add src 14.0.0.70 dst 14.0.0.52 offload packet dev eth4 dir in
tmpl src 14.0.0.70 dst 14.0.0.52 proto esp reqid 10000 mode transport”…””}”hjj  sbah}”(h]”h ]”h"]”h$]”h&]”h±h²uh1jL  hŸh³h K3hj  hžhubhØ)”}”(hŒIYes, that's ugly, but that's what shell scripts and/or libreswan are for.”h]”hŒMYes, thatâ€™s ugly, but thatâ€™s what shell scripts and/or libreswan are for.”…””}”(hjx  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h K<hj  hžhubeh}”(h]”Œoverview”ah ]”h"]”Œoverview”ah$]”h&]”uh1hÂhhÄhžhhŸh³h KubhÃ)”}”(hhh]”(hÈ)”}”(hŒCallbacks to implement”h]”hŒCallbacks to implement”…””}”(hj‘  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÇhjŽ  hžhhŸh³h KAubjM  )”}”(hX  /* from include/linux/netdevice.h */
struct xfrmdev_ops {
      /* Crypto and Packet offload callbacks */
      int     (*xdo_dev_state_add)(struct net_device *dev,
                                   struct xfrm_state *x,
                                   struct netlink_ext_ack *extack);
      void    (*xdo_dev_state_delete)(struct net_device *dev,
                                      struct xfrm_state *x);
      void    (*xdo_dev_state_free)(struct net_device *dev,
                                    struct xfrm_state *x);
      bool    (*xdo_dev_offload_ok) (struct sk_buff *skb,
                                     struct xfrm_state *x);
      void    (*xdo_dev_state_advance_esn) (struct xfrm_state *x);
      void    (*xdo_dev_state_update_stats) (struct xfrm_state *x);

      /* Solely packet offload callbacks */
      int     (*xdo_dev_policy_add) (struct xfrm_policy *x, struct netlink_ext_ack *extack);
      void    (*xdo_dev_policy_delete) (struct xfrm_policy *x);
      void    (*xdo_dev_policy_free) (struct xfrm_policy *x);
};”h]”hX  /* from include/linux/netdevice.h */
struct xfrmdev_ops {
      /* Crypto and Packet offload callbacks */
      int     (*xdo_dev_state_add)(struct net_device *dev,
                                   struct xfrm_state *x,
                                   struct netlink_ext_ack *extack);
      void    (*xdo_dev_state_delete)(struct net_device *dev,
                                      struct xfrm_state *x);
      void    (*xdo_dev_state_free)(struct net_device *dev,
                                    struct xfrm_state *x);
      bool    (*xdo_dev_offload_ok) (struct sk_buff *skb,
                                     struct xfrm_state *x);
      void    (*xdo_dev_state_advance_esn) (struct xfrm_state *x);
      void    (*xdo_dev_state_update_stats) (struct xfrm_state *x);

      /* Solely packet offload callbacks */
      int     (*xdo_dev_policy_add) (struct xfrm_policy *x, struct netlink_ext_ack *extack);
      void    (*xdo_dev_policy_delete) (struct xfrm_policy *x);
      void    (*xdo_dev_policy_free) (struct xfrm_policy *x);
};”…””}”hjŸ  sbah}”(h]”h ]”h"]”h$]”h&]”h±h²uh1jL  hŸh³h KEhjŽ  hžhubhØ)”}”(hX  The NIC driver offering ipsec offload will need to implement callbacks
relevant to supported offload to make the offload available to the network
stack's XFRM subsystem. Additionally, the feature bits NETIF_F_HW_ESP and
NETIF_F_HW_ESP_TX_CSUM will signal the availability of the offload.”h]”hX!  The NIC driver offering ipsec offload will need to implement callbacks
relevant to supported offload to make the offload available to the network
stackâ€™s XFRM subsystem. Additionally, the feature bits NETIF_F_HW_ESP and
NETIF_F_HW_ESP_TX_CSUM will signal the availability of the offload.”…””}”(hj­  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h KZhjŽ  hžhubeh}”(h]”Œcallbacks-to-implement”ah ]”h"]”Œcallbacks to implement”ah$]”h&]”uh1hÂhhÄhžhhŸh³h KAubhÃ)”}”(hhh]”(hÈ)”}”(hŒFlow”h]”hŒFlow”…””}”(hjÆ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÇhjÃ  hžhhŸh³h KbubhØ)”}”(hŒ×At probe time and before the call to register_netdev(), the driver should
set up local data structures and XFRM callbacks, and set the feature bits.
The XFRM code's listener will finish the setup on NETDEV_REGISTER.”h]”hŒÙAt probe time and before the call to register_netdev(), the driver should
set up local data structures and XFRM callbacks, and set the feature bits.
The XFRM codeâ€™s listener will finish the setup on NETDEV_REGISTER.”…””}”(hjÔ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h KdhjÃ  hžhubjM  )”}”(hŒ“adapter->netdev->xfrmdev_ops = &ixgbe_xfrmdev_ops;
adapter->netdev->features |= NETIF_F_HW_ESP;
adapter->netdev->hw_enc_features |= NETIF_F_HW_ESP;”h]”hŒ“adapter->netdev->xfrmdev_ops = &ixgbe_xfrmdev_ops;
adapter->netdev->features |= NETIF_F_HW_ESP;
adapter->netdev->hw_enc_features |= NETIF_F_HW_ESP;”…””}”hjâ  sbah}”(h]”h ]”h"]”h$]”h&]”h±h²uh1jL  hŸh³h KjhjÃ  hžhubhØ)”}”(hŒËWhen new SAs are set up with a request for "offload" feature, the
driver's xdo_dev_state_add() will be given the new SA to be offloaded
and an indication of whether it is for Rx or Tx.  The driver should”h]”hŒÑWhen new SAs are set up with a request for â€œoffloadâ€ feature, the
driverâ€™s xdo_dev_state_add() will be given the new SA to be offloaded
and an indication of whether it is for Rx or Tx.  The driver should”…””}”(hjð  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h KnhjÃ  hžhubj?  )”}”(hXÝ  - verify the algorithm is supported for offloads
- store the SA information (key, salt, target-ip, protocol, etc)
- enable the HW offload of the SA
- return status value:

        ===========   ===================================
        0             success
        -EOPNETSUPP   offload not supported, try SW IPsec,
                      not applicable for packet offload mode
        other         fail the request
        ===========   ===================================
”h]”jE  )”}”(hhh]”(jJ  )”}”(hŒ.verify the algorithm is supported for offloads”h]”hØ)”}”(hj  h]”hŒ.verify the algorithm is supported for offloads”…””}”(hj	  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h Krhj  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jI  hj  ubjJ  )”}”(hŒ>store the SA information (key, salt, target-ip, protocol, etc)”h]”hØ)”}”(hj  h]”hŒ>store the SA information (key, salt, target-ip, protocol, etc)”…””}”(hj   hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h Kshj  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jI  hj  ubjJ  )”}”(hŒenable the HW offload of the SA”h]”hØ)”}”(hj5  h]”hŒenable the HW offload of the SA”…””}”(hj7  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h Kthj3  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jI  hj  ubjJ  )”}”(hX;  return status value:

      ===========   ===================================
      0             success
      -EOPNETSUPP   offload not supported, try SW IPsec,
                    not applicable for packet offload mode
      other         fail the request
      ===========   ===================================
”h]”(hØ)”}”(hŒreturn status value:”h]”hŒreturn status value:”…””}”(hjN  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h KuhjJ  ubj?  )”}”(hX  ===========   ===================================
0             success
-EOPNETSUPP   offload not supported, try SW IPsec,
              not applicable for packet offload mode
other         fail the request
===========   ===================================
”h]”hŒtable”“”)”}”(hhh]”hŒtgroup”“”)”}”(hhh]”(hŒcolspec”“”)”}”(hhh]”h}”(h]”h ]”h"]”h$]”h&]”Œcolwidth”Kuh1jj  hjg  ubjk  )”}”(hhh]”h}”(h]”h ]”h"]”h$]”h&]”Œcolwidth”K&uh1jj  hjg  ubhŒtbody”“”)”}”(hhh]”(hŒrow”“”)”}”(hhh]”(hŒentry”“”)”}”(hhh]”hØ)”}”(hŒ0”h]”hŒ0”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h KxhjŒ  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jŠ  hj‡  ubj‹  )”}”(hhh]”hØ)”}”(hŒsuccess”h]”hŒsuccess”…””}”(hj¦  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h Kxhj£  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jŠ  hj‡  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j…  hj‚  ubj†  )”}”(hhh]”(j‹  )”}”(hhh]”hØ)”}”(hŒ-EOPNETSUPP”h]”hŒ-EOPNETSUPP”…””}”(hjÆ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h KyhjÃ  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jŠ  hjÀ  ubj‹  )”}”(hhh]”hØ)”}”(hŒKoffload not supported, try SW IPsec,
not applicable for packet offload mode”h]”hŒKoffload not supported, try SW IPsec,
not applicable for packet offload mode”…””}”(hjÝ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h KyhjÚ  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jŠ  hjÀ  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j…  hj‚  ubj†  )”}”(hhh]”(j‹  )”}”(hhh]”hØ)”}”(hŒother”h]”hŒother”…””}”(hjý  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h K{hjú  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jŠ  hj÷  ubj‹  )”}”(hhh]”hØ)”}”(hŒfail the request”h]”hŒfail the request”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h K{hj  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jŠ  hj÷  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j…  hj‚  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j€  hjg  ubeh}”(h]”h ]”h"]”h$]”h&]”Œcols”Kuh1je  hjb  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j`  hj\  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j>  hŸh³h KwhjJ  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1jI  hj  ubeh}”(h]”h ]”h"]”h$]”h&]”j•  Œ-”uh1jD  hŸh³h Krhjþ  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j>  hŸh³h KrhjÃ  hžhubhØ)”}”(hŒ”The driver can also set an offload_handle in the SA, an opaque void pointer
that can be used to convey context into the fast-path offload requests::”h]”hŒ“The driver can also set an offload_handle in the SA, an opaque void pointer
that can be used to convey context into the fast-path offload requests:”…””}”(hjZ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h K~hjÃ  hžhubjM  )”}”(hŒ!xs->xso.offload_handle = context;”h]”hŒ!xs->xso.offload_handle = context;”…””}”hjh  sbah}”(h]”h ]”h"]”h$]”h&]”h±h²uh1jL  hŸh³h KhjÃ  hžhubhØ)”}”(hXè  When the network stack is preparing an IPsec packet for an SA that has
been setup for offload, it first calls into xdo_dev_offload_ok() with
the skb and the intended offload state to ask the driver if the offload
will serviceable.  This can check the packet information to be sure the
offload can be supported (e.g. IPv4 or IPv6, no IPv4 options, etc) and
return true or false to signify its support. In case driver doesn't implement
this callback, the stack provides reasonable defaults.”h]”hXê  When the network stack is preparing an IPsec packet for an SA that has
been setup for offload, it first calls into xdo_dev_offload_ok() with
the skb and the intended offload state to ask the driver if the offload
will serviceable.  This can check the packet information to be sure the
offload can be supported (e.g. IPv4 or IPv6, no IPv4 options, etc) and
return true or false to signify its support. In case driver doesnâ€™t implement
this callback, the stack provides reasonable defaults.”…””}”(hjv  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h K„hjÃ  hžhubhØ)”}”(hŒ¶Crypto offload mode:
When ready to send, the driver needs to inspect the Tx packet for the
offload information, including the opaque context, and set up the packet
send accordingly::”h]”hŒµCrypto offload mode:
When ready to send, the driver needs to inspect the Tx packet for the
offload information, including the opaque context, and set up the packet
send accordingly:”…””}”(hj„  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h KŒhjÃ  hžhubjM  )”}”(hŒPxs = xfrm_input_state(skb);
context = xs->xso.offload_handle;
set up HW for send”h]”hŒPxs = xfrm_input_state(skb);
context = xs->xso.offload_handle;
set up HW for send”…””}”hj’  sbah}”(h]”h ]”h"]”h$]”h&]”h±h²uh1jL  hŸh³h K‘hjÃ  hžhubhØ)”}”(hŒšThe stack has already inserted the appropriate IPsec headers in the
packet data, the offload just needs to do the encryption and fix up the
header values.”h]”hŒšThe stack has already inserted the appropriate IPsec headers in the
packet data, the offload just needs to do the encryption and fix up the
header values.”…””}”(hj   hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h K•hjÃ  hžhubhØ)”}”(hX4  When a packet is received and the HW has indicated that it offloaded a
decryption, the driver needs to add a reference to the decoded SA into
the packet's skb.  At this point the data should be decrypted but the
IPsec headers are still in the packet data; they are removed later up
the stack in xfrm_input().”h]”hX6  When a packet is received and the HW has indicated that it offloaded a
decryption, the driver needs to add a reference to the decoded SA into
the packetâ€™s skb.  At this point the data should be decrypted but the
IPsec headers are still in the packet data; they are removed later up
the stack in xfrm_input().”…””}”(hj®  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h KšhjÃ  hžhubhŒenumerated_list”“”)”}”(hhh]”(jJ  )”}”(hŒÛFind and hold the SA that was used to the Rx skb::

             /* get spi, protocol, and destination IP from packet headers */
             xs = find xs from (spi, protocol, dest_IP)
             xfrm_state_hold(xs);
”h]”(hØ)”}”(hŒ2Find and hold the SA that was used to the Rx skb::”h]”hŒ1Find and hold the SA that was used to the Rx skb:”…””}”(hjÅ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h K hjÁ  ubjM  )”}”(hŒ/* get spi, protocol, and destination IP from packet headers */
xs = find xs from (spi, protocol, dest_IP)
xfrm_state_hold(xs);”h]”hŒ/* get spi, protocol, and destination IP from packet headers */
xs = find xs from (spi, protocol, dest_IP)
xfrm_state_hold(xs);”…””}”hjÓ  sbah}”(h]”h ]”h"]”h$]”h&]”h±h²uh1jL  hŸh³h K¢hjÁ  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1jI  hj¾  hžhhŸh³h NubjJ  )”}”(hŒ®Store the state information into the skb::

             sp = secpath_set(skb);
             if (!sp) return;
             sp->xvec[sp->len++] = xs;
             sp->olen++;
”h]”(hØ)”}”(hŒ*Store the state information into the skb::”h]”hŒ)Store the state information into the skb:”…””}”(hjë  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h K¦hjç  ubjM  )”}”(hŒMsp = secpath_set(skb);
if (!sp) return;
sp->xvec[sp->len++] = xs;
sp->olen++;”h]”hŒMsp = secpath_set(skb);
if (!sp) return;
sp->xvec[sp->len++] = xs;
sp->olen++;”…””}”hjù  sbah}”(h]”h ]”h"]”h$]”h&]”h±h²uh1jL  hŸh³h K¨hjç  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1jI  hj¾  hžhhŸh³h NubjJ  )”}”(hŒ¯Indicate the success and/or error status of the offload::

             xo = xfrm_offload(skb);
             xo->flags = CRYPTO_DONE;
             xo->status = crypto_status;
”h]”(hØ)”}”(hŒ9Indicate the success and/or error status of the offload::”h]”hŒ8Indicate the success and/or error status of the offload:”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h K­hj  ubjM  )”}”(hŒLxo = xfrm_offload(skb);
xo->flags = CRYPTO_DONE;
xo->status = crypto_status;”h]”hŒLxo = xfrm_offload(skb);
xo->flags = CRYPTO_DONE;
xo->status = crypto_status;”…””}”hj  sbah}”(h]”h ]”h"]”h$]”h&]”h±h²uh1jL  hŸh³h K¯hj  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1jI  hj¾  hžhhŸh³h NubjJ  )”}”(hŒ0Hand the packet to napi_gro_receive() as usual.
”h]”hØ)”}”(hŒ/Hand the packet to napi_gro_receive() as usual.”h]”hŒ/Hand the packet to napi_gro_receive() as usual.”…””}”(hj7  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h K³hj3  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jI  hj¾  hžhhŸh³h Nubeh}”(h]”h ]”h"]”h$]”h&]”Œenumtype”Œarabic”Œprefix”hŒsuffix”Œ.”uh1j¼  hjÃ  hžhhŸh³h K ubhØ)”}”(hŒÕIn ESN mode, xdo_dev_state_advance_esn() is called from
xfrm_replay_advance_esn() for RX, and xfrm_replay_overflow_offload_esn for TX.
Driver will check packet seq number and update HW ESN state machine if needed.”h]”hŒÕIn ESN mode, xdo_dev_state_advance_esn() is called from
xfrm_replay_advance_esn() for RX, and xfrm_replay_overflow_offload_esn for TX.
Driver will check packet seq number and update HW ESN state machine if needed.”…””}”(hjV  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h KµhjÃ  hžhubhØ)”}”(hŒåPacket offload mode:
HW adds and deletes XFRM headers. So in RX path, XFRM stack is bypassed if HW
reported success. In TX path, the packet lefts kernel without extra header
and not encrypted, the HW is responsible to perform it.”h]”hŒåPacket offload mode:
HW adds and deletes XFRM headers. So in RX path, XFRM stack is bypassed if HW
reported success. In TX path, the packet lefts kernel without extra header
and not encrypted, the HW is responsible to perform it.”…””}”(hjd  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h K¹hjÃ  hžhubhØ)”}”(hXº  When the SA is removed by the user, the driver's xdo_dev_state_delete()
and xdo_dev_policy_delete() are asked to disable the offload.  Later,
xdo_dev_state_free() and xdo_dev_policy_free() are called from a garbage
collection routine after all reference counts to the state and policy
have been removed and any remaining resources can be cleared for the
offload state.  How these are used by the driver will depend on specific
hardware needs.”h]”hX¼  When the SA is removed by the user, the driverâ€™s xdo_dev_state_delete()
and xdo_dev_policy_delete() are asked to disable the offload.  Later,
xdo_dev_state_free() and xdo_dev_policy_free() are called from a garbage
collection routine after all reference counts to the state and policy
have been removed and any remaining resources can be cleared for the
offload state.  How these are used by the driver will depend on specific
hardware needs.”…””}”(hjr  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h K¾hjÃ  hžhubhØ)”}”(hŒÈAs a netdev is set to DOWN the XFRM stack's netdev listener will call
xdo_dev_state_delete(), xdo_dev_policy_delete(), xdo_dev_state_free() and
xdo_dev_policy_free() on any remaining offloaded states.”h]”hŒÊAs a netdev is set to DOWN the XFRM stackâ€™s netdev listener will call
xdo_dev_state_delete(), xdo_dev_policy_delete(), xdo_dev_state_free() and
xdo_dev_policy_free() on any remaining offloaded states.”…””}”(hj€  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h KÆhjÃ  hžhubhØ)”}”(hXQ  Outcome of HW handling packets, the XFRM core can't count hard, soft limits.
The HW/driver are responsible to perform it and provide accurate data when
xdo_dev_state_update_stats() is called. In case of one of these limits
occuried, the driver needs to call to xfrm_state_check_expire() to make sure
that XFRM performs rekeying sequence.”h]”hXS  Outcome of HW handling packets, the XFRM core canâ€™t count hard, soft limits.
The HW/driver are responsible to perform it and provide accurate data when
xdo_dev_state_update_stats() is called. In case of one of these limits
occuried, the driver needs to call to xfrm_state_check_expire() to make sure
that XFRM performs rekeying sequence.”…””}”(hjŽ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h KÊhjÃ  hžhubeh}”(h]”Œflow”ah ]”h"]”Œflow”ah$]”h&]”uh1hÂhhÄhžhhŸh³h Kbubeh}”(h]”(Œ-xfrm-device-offloading-the-ipsec-computations”hÁeh ]”h"]”(Œ/xfrm device - offloading the ipsec computations”Œxfrm_device”eh$]”h&]”uh1hÂhhhžhhŸh³h KŒexpect_referenced_by_name”}”jª  h¶sŒexpect_referenced_by_id”}”hÁh¶subeh}”(h]”h ]”h"]”h$]”h&]”Œsource”h³uh1hŒcurrent_source”NŒcurrent_line”NŒsettings”Œdocutils.frontend”ŒValues”“”)”}”(hÇNŒ	generator”NŒ	datestamp”NŒsource_link”NŒ
source_url”NŒtoc_backlinks”jŠ  Œfootnote_backlinks”KŒsectnum_xform”KŒstrip_comments”NŒstrip_elements_with_classes”NŒstrip_classes”NŒreport_level”KŒ
halt_level”KŒexit_status_level”KŒdebug”NŒwarning_stream”NŒ	traceback”ˆŒinput_encoding”Œ	utf-8-sig”Œinput_encoding_error_handler”Œstrict”Œoutput_encoding”Œutf-8”Œoutput_encoding_error_handler”jÓ  Œerror_encoding”Œutf-8”Œerror_encoding_error_handler”Œbackslashreplace”Œlanguage_code”Œen”Œrecord_dependencies”NŒconfig”NŒ	id_prefix”hŒauto_id_prefix”Œid”Œdump_settings”NŒdump_internals”NŒdump_transforms”NŒdump_pseudo_xml”NŒexpose_internals”NŒstrict_visitor”NŒ_disable_config”NŒ_source”h³Œ_destination”NŒ_config_files”]”Œ7/var/lib/git/docbuild/linux/Documentation/docutils.conf”aŒfile_insertion_enabled”ˆŒraw_enabled”KŒline_length_limit”M'Œpep_references”NŒpep_base_url”Œhttps://peps.python.org/”Œpep_file_url_template”Œpep-%04d”Œrfc_references”NŒrfc_base_url”Œ&https://datatracker.ietf.org/doc/html/”Œ	tab_width”KŒtrim_footnote_reference_space”‰Œsyntax_highlight”Œlong”Œsmart_quotes”ˆŒsmartquotes_locales”]”Œcharacter_level_inline_markup”‰Œdoctitle_xform”‰Œdocinfo_xform”KŒsectsubtitle_xform”‰Œimage_loading”Œlink”Œembed_stylesheet”‰Œcloak_email_addresses”ˆŒsection_self_link”‰Œenv”NubŒreporter”NŒindirect_targets”]”Œsubstitution_defs”}”Œsubstitution_names”}”Œrefnames”}”Œrefids”}”hÁ]”h¶asŒnameids”}”(jª  hÁj©  j¦  j‹  jˆ  jÀ  j½  j¡  jž  uŒ	nametypes”}”(jª  ˆj©  ‰j‹  ‰jÀ  ‰j¡  ‰uh}”(hÁhÄj¦  hÄjˆ  j  j½  jŽ  jž  jÃ  uŒfootnote_refs”}”Œcitation_refs”}”Œautofootnotes”]”Œautofootnote_refs”]”Œsymbol_footnotes”]”Œsymbol_footnote_refs”]”Œ	footnotes”]”Œ	citations”]”Œautofootnote_start”KŒsymbol_footnote_start”K Œ
id_counter”Œcollections”ŒCounter”“”}”…”R”Œparse_messages”]”Œtransform_messages”]”hŒsystem_message”“”)”}”(hhh]”hØ)”}”(hhh]”hŒ1Hyperlink target "xfrm-device" is not referenced.”…””}”hj=  sbah}”(h]”h ]”h"]”h$]”h&]”uh1h×hj:  ubah}”(h]”h ]”h"]”h$]”h&]”Œlevel”KŒtype”ŒINFO”Œsource”h³Œline”Kuh1j8  ubaŒtransformer”NŒinclude_log”]”Œ
decoration”Nhžhub.