€•ixŒsphinx.addnodes”Œdocument”“”)”}”(Œ rawsource”Œ”Œchildren”]”(Œ translations”Œ LanguagesNode”“”)”}”(hhh]”(hŒ pending_xref”“”)”}”(hhh]”Œdocutils.nodes”ŒText”“”ŒChinese (Simplified)”…””}”Œparent”hsbaŒ attributes”}”(Œids”]”Œclasses”]”Œnames”]”Œdupnames”]”Œbackrefs”]”Œ refdomain”Œstd”Œreftype”Œdoc”Œ reftarget”Œ//translations/zh_CN/networking/xfrm/xfrm_device”Œmodname”NŒ classname”NŒ refexplicit”ˆuŒtagname”hhh ubh)”}”(hhh]”hŒChinese (Traditional)”…””}”hh2sbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ//translations/zh_TW/networking/xfrm/xfrm_device”Œmodname”NŒ classname”NŒ refexplicit”ˆuh1hhh ubh)”}”(hhh]”hŒItalian”…””}”hhFsbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ//translations/it_IT/networking/xfrm/xfrm_device”Œmodname”NŒ classname”NŒ refexplicit”ˆuh1hhh ubh)”}”(hhh]”hŒJapanese”…””}”hhZsbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ//translations/ja_JP/networking/xfrm/xfrm_device”Œmodname”NŒ classname”NŒ refexplicit”ˆuh1hhh ubh)”}”(hhh]”hŒKorean”…””}”hhnsbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ//translations/ko_KR/networking/xfrm/xfrm_device”Œmodname”NŒ classname”NŒ refexplicit”ˆuh1hhh ubh)”}”(hhh]”hŒPortuguese (Brazilian)”…””}”hh‚sbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ//translations/pt_BR/networking/xfrm/xfrm_device”Œmodname”NŒ classname”NŒ refexplicit”ˆuh1hhh ubh)”}”(hhh]”hŒSpanish”…””}”hh–sbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ//translations/sp_SP/networking/xfrm/xfrm_device”Œmodname”NŒ classname”NŒ refexplicit”ˆuh1hhh ubeh}”(h]”h ]”h"]”h$]”h&]”Œcurrent_language”ŒEnglish”uh1h hhŒ _document”hŒsource”NŒline”NubhŒcomment”“”)”}”(hŒ SPDX-License-Identifier: GPL-2.0”h]”hŒ SPDX-License-Identifier: GPL-2.0”…””}”hh·sbah}”(h]”h ]”h"]”h$]”h&]”Œ xml:space”Œpreserve”uh1hµhhh²hh³ŒI/var/lib/git/docbuild/linux/Documentation/networking/xfrm/xfrm_device.rst”h´KubhŒtarget”“”)”}”(hŒ.. _xfrm_device:”h]”h}”(h]”h ]”h"]”h$]”h&]”Œrefid”Œ xfrm-device”uh1hÈh´Khhh²hh³hÇubhŒsection”“”)”}”(hhh]”(hŒtitle”“”)”}”(hŒ/XFRM device - offloading the IPsec computations”h]”hŒ/XFRM device - offloading the IPsec computations”…””}”(hhÝh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÛhhØh²hh³hÇh´KubhŒ paragraph”“”)”}”(hŒNShannon Nelson Leon Romanovsky ”h]”(hŒShannon Nelson <”…””}”(hhíh²hh³Nh´NubhŒ reference”“”)”}”(hŒshannon.nelson@oracle.com”h]”hŒshannon.nelson@oracle.com”…””}”(hh÷h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”Œrefuri”Œ mailto:shannon.nelson@oracle.com”uh1hõhhíubhŒ> Leon Romanovsky <”…””}”(hhíh²hh³Nh´Nubhö)”}”(hŒleonro@nvidia.com”h]”hŒleonro@nvidia.com”…””}”(hj h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”Œrefuri”Œmailto:leonro@nvidia.com”uh1hõhhíubhŒ>”…””}”(hhíh²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hëh³hÇh´KhhØh²hubh×)”}”(hhh]”(hÜ)”}”(hŒOverview”h]”hŒOverview”…””}”(hj(h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÛhj%h²hh³hÇh´K ubhì)”}”(hX±IPsec is a useful feature for securing network traffic, but the computational cost is high: a 10Gbps link can easily be brought down to under 1Gbps, depending on the traffic and link configuration. Luckily, there are NICs that offer a hardware based IPsec offload which can radically increase throughput and decrease CPU utilization. The XFRM Device interface allows NIC drivers to offer to the stack access to the hardware offload.”h]”hX±IPsec is a useful feature for securing network traffic, but the computational cost is high: a 10Gbps link can easily be brought down to under 1Gbps, depending on the traffic and link configuration. Luckily, there are NICs that offer a hardware based IPsec offload which can radically increase throughput and decrease CPU utilization. The XFRM Device interface allows NIC drivers to offer to the stack access to the hardware offload.”…””}”(hj6h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hëh³hÇh´Khj%h²hubhì)”}”(hŒHRight now, there are two types of hardware offload that kernel supports:”h]”hŒHRight now, there are two types of hardware offload that kernel supports:”…””}”(hjDh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hëh³hÇh´Khj%h²hubhŒ block_quote”“”)”}”(hX0* IPsec crypto offload: * NIC performs encrypt/decrypt * Kernel does everything else * IPsec packet offload: * NIC performs encrypt/decrypt * NIC does encapsulation * Kernel and NIC have SA and policy in-sync * NIC handles the SA and policies states * The Kernel talks to the keymanager ”h]”hŒ bullet_list”“”)”}”(hhh]”(hŒ list_item”“”)”}”(hŒTIPsec crypto offload: * NIC performs encrypt/decrypt * Kernel does everything else ”h]”(hì)”}”(hŒIPsec crypto offload:”h]”hŒIPsec crypto offload:”…””}”(hjch²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hëh³hÇh´Khj_ubjY)”}”(hhh]”(j^)”}”(hŒNIC performs encrypt/decrypt”h]”hì)”}”(hjvh]”hŒNIC performs encrypt/decrypt”…””}”(hjxh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hëh³hÇh´Khjtubah}”(h]”h ]”h"]”h$]”h&]”uh1j]hjqubj^)”}”(hŒKernel does everything else ”h]”hì)”}”(hŒKernel does everything else”h]”hŒKernel does everything else”…””}”(hjh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hëh³hÇh´Khj‹ubah}”(h]”h ]”h"]”h$]”h&]”uh1j]hjqubeh}”(h]”h ]”h"]”h$]”h&]”Œbullet”Œ*”uh1jXh³hÇh´Khj_ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j]hjZubj^)”}”(hŒÉIPsec packet offload: * NIC performs encrypt/decrypt * NIC does encapsulation * Kernel and NIC have SA and policy in-sync * NIC handles the SA and policies states * The Kernel talks to the keymanager ”h]”(hì)”}”(hŒIPsec packet offload:”h]”hŒIPsec packet offload:”…””}”(hjµh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hëh³hÇh´Khj±ubjY)”}”(hhh]”(j^)”}”(hŒNIC performs encrypt/decrypt”h]”hì)”}”(hjÈh]”hŒNIC performs encrypt/decrypt”…””}”(hjÊh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hëh³hÇh´K hjÆubah}”(h]”h ]”h"]”h$]”h&]”uh1j]hjÃubj^)”}”(hŒNIC does encapsulation”h]”hì)”}”(hjßh]”hŒNIC does encapsulation”…””}”(hjáh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hëh³hÇh´K!hjÝubah}”(h]”h ]”h"]”h$]”h&]”uh1j]hjÃubj^)”}”(hŒ)Kernel and NIC have SA and policy in-sync”h]”hì)”}”(hjöh]”hŒ)Kernel and NIC have SA and policy in-sync”…””}”(hjøh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hëh³hÇh´K"hjôubah}”(h]”h ]”h"]”h$]”h&]”uh1j]hjÃubj^)”}”(hŒ&NIC handles the SA and policies states”h]”hì)”}”(hj h]”hŒ&NIC handles the SA and policies states”…””}”(hjh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hëh³hÇh´K#hj ubah}”(h]”h ]”h"]”h$]”h&]”uh1j]hjÃubj^)”}”(hŒ#The Kernel talks to the keymanager ”h]”hì)”}”(hŒ"The Kernel talks to the keymanager”h]”hŒ"The Kernel talks to the keymanager”…””}”(hj&h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hëh³hÇh´K$hj"ubah}”(h]”h ]”h"]”h$]”h&]”uh1j]hjÃubeh}”(h]”h ]”h"]”h$]”h&]”j©jªuh1jXh³hÇh´K hj±ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j]hjZubeh}”(h]”h ]”h"]”h$]”h&]”j©jªuh1jXh³hÇh´KhjTubah}”(h]”h ]”h"]”h$]”h&]”uh1jRh³hÇh´Khj%h²hubhì)”}”(hŒïUserland access to the offload is typically through a system such as libreswan or KAME/raccoon, but the iproute2 'ip xfrm' command set can be handy when experimenting. An example command might look something like this for crypto offload::”h]”hŒòUserland access to the offload is typically through a system such as libreswan or KAME/raccoon, but the iproute2 ‘ip xfrm’ command set can be handy when experimenting. An example command might look something like this for crypto offload:”…””}”(hjRh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hëh³hÇh´K&hj%h²hubhŒ literal_block”“”)”}”(hXip x s add proto esp dst 14.0.0.70 src 14.0.0.52 spi 0x07 mode transport \ reqid 0x07 replay-window 32 \ aead 'rfc4106(gcm(aes))' 0x44434241343332312423222114131211f4f3f2f1 128 \ sel src 14.0.0.52/24 dst 14.0.0.70/24 proto tcp \ offload dev eth4 dir in”h]”hXip x s add proto esp dst 14.0.0.70 src 14.0.0.52 spi 0x07 mode transport \ reqid 0x07 replay-window 32 \ aead 'rfc4106(gcm(aes))' 0x44434241343332312423222114131211f4f3f2f1 128 \ sel src 14.0.0.52/24 dst 14.0.0.70/24 proto tcp \ offload dev eth4 dir in”…””}”hjbsbah}”(h]”h ]”h"]”h$]”h&]”hÅhÆuh1j`h³hÇh´K+hj%h²hubhì)”}”(hŒand for packet offload::”h]”hŒand for packet offload:”…””}”(hjph²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hëh³hÇh´K1hj%h²hubja)”}”(hXœip x s add proto esp dst 14.0.0.70 src 14.0.0.52 spi 0x07 mode transport \ reqid 0x07 replay-window 32 \ aead 'rfc4106(gcm(aes))' 0x44434241343332312423222114131211f4f3f2f1 128 \ sel src 14.0.0.52/24 dst 14.0.0.70/24 proto tcp \ offload packet dev eth4 dir in ip x p add src 14.0.0.70 dst 14.0.0.52 offload packet dev eth4 dir in tmpl src 14.0.0.70 dst 14.0.0.52 proto esp reqid 10000 mode transport”h]”hXœip x s add proto esp dst 14.0.0.70 src 14.0.0.52 spi 0x07 mode transport \ reqid 0x07 replay-window 32 \ aead 'rfc4106(gcm(aes))' 0x44434241343332312423222114131211f4f3f2f1 128 \ sel src 14.0.0.52/24 dst 14.0.0.70/24 proto tcp \ offload packet dev eth4 dir in ip x p add src 14.0.0.70 dst 14.0.0.52 offload packet dev eth4 dir in tmpl src 14.0.0.70 dst 14.0.0.52 proto esp reqid 10000 mode transport”…””}”hj~sbah}”(h]”h ]”h"]”h$]”h&]”hÅhÆuh1j`h³hÇh´K3hj%h²hubhì)”}”(hŒIYes, that's ugly, but that's what shell scripts and/or libreswan are for.”h]”hŒMYes, that’s ugly, but that’s what shell scripts and/or libreswan are for.”…””}”(hjŒh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hëh³hÇh´Knetdev->xfrmdev_ops = &ixgbe_xfrmdev_ops; adapter->netdev->features |= NETIF_F_HW_ESP; adapter->netdev->hw_enc_features |= NETIF_F_HW_ESP;”h]”hŒ“adapter->netdev->xfrmdev_ops = &ixgbe_xfrmdev_ops; adapter->netdev->features |= NETIF_F_HW_ESP; adapter->netdev->hw_enc_features |= NETIF_F_HW_ESP;”…””}”hjösbah}”(h]”h ]”h"]”h$]”h&]”hÅhÆuh1j`h³hÇh´Kjhj×h²hubhì)”}”(hŒËWhen new SAs are set up with a request for "offload" feature, the driver's xdo_dev_state_add() will be given the new SA to be offloaded and an indication of whether it is for Rx or Tx. The driver should”h]”hŒÑWhen new SAs are set up with a request for “offload†feature, the driver’s xdo_dev_state_add() will be given the new SA to be offloaded and an indication of whether it is for Rx or Tx. The driver should”…””}”(hjh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hëh³hÇh´Knhj×h²hubjS)”}”(hXÝ- verify the algorithm is supported for offloads - store the SA information (key, salt, target-ip, protocol, etc) - enable the HW offload of the SA - return status value: =========== =================================== 0 success -EOPNETSUPP offload not supported, try SW IPsec, not applicable for packet offload mode other fail the request =========== =================================== ”h]”jY)”}”(hhh]”(j^)”}”(hŒ.verify the algorithm is supported for offloads”h]”hì)”}”(hjh]”hŒ.verify the algorithm is supported for offloads”…””}”(hjh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hëh³hÇh´Krhjubah}”(h]”h ]”h"]”h$]”h&]”uh1j]hjubj^)”}”(hŒ>store the SA information (key, salt, target-ip, protocol, etc)”h]”hì)”}”(hj2h]”hŒ>store the SA information (key, salt, target-ip, protocol, etc)”…””}”(hj4h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hëh³hÇh´Kshj0ubah}”(h]”h ]”h"]”h$]”h&]”uh1j]hjubj^)”}”(hŒenable the HW offload of the SA”h]”hì)”}”(hjIh]”hŒenable the HW offload of the SA”…””}”(hjKh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hëh³hÇh´KthjGubah}”(h]”h ]”h"]”h$]”h&]”uh1j]hjubj^)”}”(hX;return status value: =========== =================================== 0 success -EOPNETSUPP offload not supported, try SW IPsec, not applicable for packet offload mode other fail the request =========== =================================== ”h]”(hì)”}”(hŒreturn status value:”h]”hŒreturn status value:”…””}”(hjbh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hëh³hÇh´Kuhj^ubjS)”}”(hX=========== =================================== 0 success -EOPNETSUPP offload not supported, try SW IPsec, not applicable for packet offload mode other fail the request =========== =================================== ”h]”hŒtable”“”)”}”(hhh]”hŒtgroup”“”)”}”(hhh]”(hŒcolspec”“”)”}”(hhh]”h}”(h]”h ]”h"]”h$]”h&]”Œcolwidth”K uh1j~hj{ubj)”}”(hhh]”h}”(h]”h ]”h"]”h$]”h&]”Œcolwidth”K&uh1j~hj{ubhŒtbody”“”)”}”(hhh]”(hŒrow”“”)”}”(hhh]”(hŒentry”“”)”}”(hhh]”hì)”}”(hŒ0”h]”hŒ0”…””}”(hj£h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hëh³hÇh´Kxhj ubah}”(h]”h ]”h"]”h$]”h&]”uh1jžhj›ubjŸ)”}”(hhh]”hì)”}”(hŒsuccess”h]”hŒsuccess”…””}”(hjºh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hëh³hÇh´Kxhj·ubah}”(h]”h ]”h"]”h$]”h&]”uh1jžhj›ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j™hj–ubjš)”}”(hhh]”(jŸ)”}”(hhh]”hì)”}”(hŒ -EOPNETSUPP”h]”hŒ -EOPNETSUPP”…””}”(hjÚh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hëh³hÇh´Kyhj×ubah}”(h]”h ]”h"]”h$]”h&]”uh1jžhjÔubjŸ)”}”(hhh]”hì)”}”(hŒKoffload not supported, try SW IPsec, not applicable for packet offload mode”h]”hŒKoffload not supported, try SW IPsec, not applicable for packet offload mode”…””}”(hjñh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hëh³hÇh´Kyhjîubah}”(h]”h ]”h"]”h$]”h&]”uh1jžhjÔubeh}”(h]”h ]”h"]”h$]”h&]”uh1j™hj–ubjš)”}”(hhh]”(jŸ)”}”(hhh]”hì)”}”(hŒother”h]”hŒother”…””}”(hjh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hëh³hÇh´K{hjubah}”(h]”h ]”h"]”h$]”h&]”uh1jžhj ubjŸ)”}”(hhh]”hì)”}”(hŒfail the request”h]”hŒfail the request”…””}”(hj(h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hëh³hÇh´K{hj%ubah}”(h]”h ]”h"]”h$]”h&]”uh1jžhj ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j™hj–ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j”hj{ubeh}”(h]”h ]”h"]”h$]”h&]”Œcols”Kuh1jyhjvubah}”(h]”h ]”h"]”h$]”h&]”uh1jthjpubah}”(h]”h ]”h"]”h$]”h&]”uh1jRh³hÇh´Kwhj^ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j]hjubeh}”(h]”h ]”h"]”h$]”h&]”j©Œ-”uh1jXh³hÇh´Krhjubah}”(h]”h ]”h"]”h$]”h&]”uh1jRh³hÇh´Krhj×h²hubhì)”}”(hŒ”The driver can also set an offload_handle in the SA, an opaque void pointer that can be used to convey context into the fast-path offload requests::”h]”hŒ“The driver can also set an offload_handle in the SA, an opaque void pointer that can be used to convey context into the fast-path offload requests:”…””}”(hjnh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hëh³hÇh´K~hj×h²hubja)”}”(hŒ!xs->xso.offload_handle = context;”h]”hŒ!xs->xso.offload_handle = context;”…””}”hj|sbah}”(h]”h ]”h"]”h$]”h&]”hÅhÆuh1j`h³hÇh´Khj×h²hubhì)”}”(hXèWhen the network stack is preparing an IPsec packet for an SA that has been setup for offload, it first calls into xdo_dev_offload_ok() with the skb and the intended offload state to ask the driver if the offload will serviceable. This can check the packet information to be sure the offload can be supported (e.g. IPv4 or IPv6, no IPv4 options, etc) and return true or false to signify its support. In case driver doesn't implement this callback, the stack provides reasonable defaults.”h]”hXêWhen the network stack is preparing an IPsec packet for an SA that has been setup for offload, it first calls into xdo_dev_offload_ok() with the skb and the intended offload state to ask the driver if the offload will serviceable. This can check the packet information to be sure the offload can be supported (e.g. IPv4 or IPv6, no IPv4 options, etc) and return true or false to signify its support. In case driver doesn’t implement this callback, the stack provides reasonable defaults.”…””}”(hjŠh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hëh³hÇh´K„hj×h²hubhì)”}”(hŒ¶Crypto offload mode: When ready to send, the driver needs to inspect the Tx packet for the offload information, including the opaque context, and set up the packet send accordingly::”h]”hŒµCrypto offload mode: When ready to send, the driver needs to inspect the Tx packet for the offload information, including the opaque context, and set up the packet send accordingly:”…””}”(hj˜h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hëh³hÇh´KŒhj×h²hubja)”}”(hŒPxs = xfrm_input_state(skb); context = xs->xso.offload_handle; set up HW for send”h]”hŒPxs = xfrm_input_state(skb); context = xs->xso.offload_handle; set up HW for send”…””}”hj¦sbah}”(h]”h ]”h"]”h$]”h&]”hÅhÆuh1j`h³hÇh´K‘hj×h²hubhì)”}”(hŒšThe stack has already inserted the appropriate IPsec headers in the packet data, the offload just needs to do the encryption and fix up the header values.”h]”hŒšThe stack has already inserted the appropriate IPsec headers in the packet data, the offload just needs to do the encryption and fix up the header values.”…””}”(hj´h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hëh³hÇh´K•hj×h²hubhì)”}”(hX4When a packet is received and the HW has indicated that it offloaded a decryption, the driver needs to add a reference to the decoded SA into the packet's skb. At this point the data should be decrypted but the IPsec headers are still in the packet data; they are removed later up the stack in xfrm_input().”h]”hX6When a packet is received and the HW has indicated that it offloaded a decryption, the driver needs to add a reference to the decoded SA into the packet’s skb. At this point the data should be decrypted but the IPsec headers are still in the packet data; they are removed later up the stack in xfrm_input().”…””}”(hjÂh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hëh³hÇh´Kšhj×h²hubhŒenumerated_list”“”)”}”(hhh]”(j^)”}”(hŒÛFind and hold the SA that was used to the Rx skb:: /* get spi, protocol, and destination IP from packet headers */ xs = find xs from (spi, protocol, dest_IP) xfrm_state_hold(xs); ”h]”(hì)”}”(hŒ2Find and hold the SA that was used to the Rx skb::”h]”hŒ1Find and hold the SA that was used to the Rx skb:”…””}”(hjÙh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hëh³hÇh´K hjÕubja)”}”(hŒ/* get spi, protocol, and destination IP from packet headers */ xs = find xs from (spi, protocol, dest_IP) xfrm_state_hold(xs);”h]”hŒ/* get spi, protocol, and destination IP from packet headers */ xs = find xs from (spi, protocol, dest_IP) xfrm_state_hold(xs);”…””}”hjçsbah}”(h]”h ]”h"]”h$]”h&]”hÅhÆuh1j`h³hÇh´K¢hjÕubeh}”(h]”h ]”h"]”h$]”h&]”uh1j]hjÒh²hh³hÇh´Nubj^)”}”(hŒ®Store the state information into the skb:: sp = secpath_set(skb); if (!sp) return; sp->xvec[sp->len++] = xs; sp->olen++; ”h]”(hì)”}”(hŒ*Store the state information into the skb::”h]”hŒ)Store the state information into the skb:”…””}”(hjÿh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hëh³hÇh´K¦hjûubja)”}”(hŒMsp = secpath_set(skb); if (!sp) return; sp->xvec[sp->len++] = xs; sp->olen++;”h]”hŒMsp = secpath_set(skb); if (!sp) return; sp->xvec[sp->len++] = xs; sp->olen++;”…””}”hj sbah}”(h]”h ]”h"]”h$]”h&]”hÅhÆuh1j`h³hÇh´K¨hjûubeh}”(h]”h ]”h"]”h$]”h&]”uh1j]hjÒh²hh³hÇh´Nubj^)”}”(hŒ¯Indicate the success and/or error status of the offload:: xo = xfrm_offload(skb); xo->flags = CRYPTO_DONE; xo->status = crypto_status; ”h]”(hì)”}”(hŒ9Indicate the success and/or error status of the offload::”h]”hŒ8Indicate the success and/or error status of the offload:”…””}”(hj%h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hëh³hÇh´K­hj!ubja)”}”(hŒLxo = xfrm_offload(skb); xo->flags = CRYPTO_DONE; xo->status = crypto_status;”h]”hŒLxo = xfrm_offload(skb); xo->flags = CRYPTO_DONE; xo->status = crypto_status;”…””}”hj3sbah}”(h]”h ]”h"]”h$]”h&]”hÅhÆuh1j`h³hÇh´K¯hj!ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j]hjÒh²hh³hÇh´Nubj^)”}”(hŒ0Hand the packet to napi_gro_receive() as usual. ”h]”hì)”}”(hŒ/Hand the packet to napi_gro_receive() as usual.”h]”hŒ/Hand the packet to napi_gro_receive() as usual.”…””}”(hjKh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hëh³hÇh´K³hjGubah}”(h]”h ]”h"]”h$]”h&]”uh1j]hjÒh²hh³hÇh´Nubeh}”(h]”h ]”h"]”h$]”h&]”Œenumtype”Œarabic”Œprefix”hŒsuffix”Œ.”uh1jÐhj×h²hh³hÇh´K ubhì)”}”(hŒÕIn ESN mode, xdo_dev_state_advance_esn() is called from xfrm_replay_advance_esn() for RX, and xfrm_replay_overflow_offload_esn for TX. Driver will check packet seq number and update HW ESN state machine if needed.”h]”hŒÕIn ESN mode, xdo_dev_state_advance_esn() is called from xfrm_replay_advance_esn() for RX, and xfrm_replay_overflow_offload_esn for TX. Driver will check packet seq number and update HW ESN state machine if needed.”…””}”(hjjh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hëh³hÇh´Kµhj×h²hubhì)”}”(hŒåPacket offload mode: HW adds and deletes XFRM headers. So in RX path, XFRM stack is bypassed if HW reported success. In TX path, the packet lefts kernel without extra header and not encrypted, the HW is responsible to perform it.”h]”hŒåPacket offload mode: HW adds and deletes XFRM headers. So in RX path, XFRM stack is bypassed if HW reported success. In TX path, the packet lefts kernel without extra header and not encrypted, the HW is responsible to perform it.”…””}”(hjxh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hëh³hÇh´K¹hj×h²hubhì)”}”(hXºWhen the SA is removed by the user, the driver's xdo_dev_state_delete() and xdo_dev_policy_delete() are asked to disable the offload. Later, xdo_dev_state_free() and xdo_dev_policy_free() are called from a garbage collection routine after all reference counts to the state and policy have been removed and any remaining resources can be cleared for the offload state. How these are used by the driver will depend on specific hardware needs.”h]”hX¼When the SA is removed by the user, the driver’s xdo_dev_state_delete() and xdo_dev_policy_delete() are asked to disable the offload. Later, xdo_dev_state_free() and xdo_dev_policy_free() are called from a garbage collection routine after all reference counts to the state and policy have been removed and any remaining resources can be cleared for the offload state. How these are used by the driver will depend on specific hardware needs.”…””}”(hj†h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hëh³hÇh´K¾hj×h²hubhì)”}”(hŒÈAs a netdev is set to DOWN the XFRM stack's netdev listener will call xdo_dev_state_delete(), xdo_dev_policy_delete(), xdo_dev_state_free() and xdo_dev_policy_free() on any remaining offloaded states.”h]”hŒÊAs a netdev is set to DOWN the XFRM stack’s netdev listener will call xdo_dev_state_delete(), xdo_dev_policy_delete(), xdo_dev_state_free() and xdo_dev_policy_free() on any remaining offloaded states.”…””}”(hj”h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hëh³hÇh´KÆhj×h²hubhì)”}”(hXQOutcome of HW handling packets, the XFRM core can't count hard, soft limits. The HW/driver are responsible to perform it and provide accurate data when xdo_dev_state_update_stats() is called. In case of one of these limits occuried, the driver needs to call to xfrm_state_check_expire() to make sure that XFRM performs rekeying sequence.”h]”hXSOutcome of HW handling packets, the XFRM core can’t count hard, soft limits. The HW/driver are responsible to perform it and provide accurate data when xdo_dev_state_update_stats() is called. In case of one of these limits occuried, the driver needs to call to xfrm_state_check_expire() to make sure that XFRM performs rekeying sequence.”…””}”(hj¢h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hëh³hÇh´KÊhj×h²hubeh}”(h]”Œflow”ah ]”h"]”Œflow”ah$]”h&]”uh1hÖhhØh²hh³hÇh´Kbubeh}”(h]”(Œ-xfrm-device-offloading-the-ipsec-computations”hÕeh ]”h"]”(Œ/xfrm device - offloading the ipsec computations”Œ xfrm_device”eh$]”h&]”uh1hÖhhh²hh³hÇh´KŒexpect_referenced_by_name”}”j¾hÊsŒexpect_referenced_by_id”}”hÕhÊsubeh}”(h]”h ]”h"]”h$]”h&]”Œsource”hÇuh1hŒcurrent_source”NŒ current_line”NŒsettings”Œdocutils.frontend”ŒValues”“”)”}”(hÛNŒ generator”NŒ datestamp”NŒ source_link”NŒ source_url”NŒ toc_backlinks”jžŒfootnote_backlinks”KŒ sectnum_xform”KŒstrip_comments”NŒstrip_elements_with_classes”NŒ strip_classes”NŒ report_level”KŒ halt_level”KŒexit_status_level”KŒdebug”NŒwarning_stream”NŒ traceback”ˆŒinput_encoding”Œ utf-8-sig”Œinput_encoding_error_handler”Œstrict”Œoutput_encoding”Œutf-8”Œoutput_encoding_error_handler”jçŒerror_encoding”Œutf-8”Œerror_encoding_error_handler”Œbackslashreplace”Œ language_code”Œen”Œrecord_dependencies”NŒconfig”NŒ id_prefix”hŒauto_id_prefix”Œid”Œ dump_settings”NŒdump_internals”NŒdump_transforms”NŒdump_pseudo_xml”NŒexpose_internals”NŒstrict_visitor”NŒ_disable_config”NŒ_source”hÇŒ _destination”NŒ _config_files”]”Œ7/var/lib/git/docbuild/linux/Documentation/docutils.conf”aŒfile_insertion_enabled”ˆŒ raw_enabled”KŒline_length_limit”M'Œpep_references”NŒ pep_base_url”Œhttps://peps.python.org/”Œpep_file_url_template”Œpep-%04d”Œrfc_references”NŒ rfc_base_url”Œ&https://datatracker.ietf.org/doc/html/”Œ tab_width”KŒtrim_footnote_reference_space”‰Œsyntax_highlight”Œlong”Œ smart_quotes”ˆŒsmartquotes_locales”]”Œcharacter_level_inline_markup”‰Œdoctitle_xform”‰Œ docinfo_xform”KŒsectsubtitle_xform”‰Œ image_loading”Œlink”Œembed_stylesheet”‰Œcloak_email_addresses”ˆŒsection_self_link”‰Œenv”NubŒreporter”NŒindirect_targets”]”Œsubstitution_defs”}”Œsubstitution_names”}”Œrefnames”}”Œrefids”}”hÕ]”hÊasŒnameids”}”(j¾hÕj½jºjŸjœjÔjÑjµj²uŒ nametypes”}”(j¾ˆj½‰jŸ‰jÔ‰jµ‰uh}”(hÕhØjºhØjœj%jÑj¢j²j×uŒ footnote_refs”}”Œ citation_refs”}”Œ autofootnotes”]”Œautofootnote_refs”]”Œsymbol_footnotes”]”Œsymbol_footnote_refs”]”Œ footnotes”]”Œ citations”]”Œautofootnote_start”KŒsymbol_footnote_start”KŒ id_counter”Œ collections”ŒCounter”“”}”…”R”Œparse_messages”]”Œtransform_messages”]”hŒsystem_message”“”)”}”(hhh]”hì)”}”(hhh]”hŒ1Hyperlink target "xfrm-device" is not referenced.”…””}”hjQsbah}”(h]”h ]”h"]”h$]”h&]”uh1hëhjNubah}”(h]”h ]”h"]”h$]”h&]”Œlevel”KŒtype”ŒINFO”Œsource”hÇŒline”Kuh1jLubaŒ transformer”NŒ include_log”]”Œ decoration”Nh²hub.