Add TLS 1.3 hardware offload support to mlx5 driver, enabling both TX and RX hardware acceleration for TLS 1.3 connections on Mellanox ConnectX-6 Dx and newer adapters. This patch enables: - TLS 1.3 version detection and validation with proper capability checking - TLS 1.3 crypto context configuration using MLX5E_STATIC_PARAMS_CONTEXT_TLS_1_3 (0x3) - Correct IV handling for TLS 1.3 (12-byte IV vs TLS 1.2's 4-byte salt) - Hardware offload for both TLS 1.3 AES-GCM-128 and AES-GCM-256 cipher suites Key differences from TLS 1.2: - TLS 1.2: Only 4-byte salt copied to gcm_iv, explicit IV in each record - TLS 1.3: Full 12-byte IV (salt + iv) copied to gcm_iv + implicit_iv * salt (4 bytes) → gcm_iv[0:3] * iv (8 bytes) → gcm_iv[4:7] + implicit_iv[0:3] * Note: gcm_iv and implicit_iv are contiguous in memory The EXTRACT_INFO_FIELDS macro is updated to also extract the 'iv' field which is needed for TLS 1.3. Testing: Verified on Mellanox ConnectX-6 Dx (Crypto Enabled) (MT2892) using ktls_test suite. Both TX and RX hardware offload working successfully with TLS 1.3 AES-GCM-128 and AES-GCM-256 cipher suites. Signed-off-by: Rishikesh Jethwani --- .../ethernet/mellanox/mlx5/core/en_accel/ktls.h | 8 +++++++- .../mellanox/mlx5/core/en_accel/ktls_txrx.c | 14 +++++++++++--- 2 files changed, 18 insertions(+), 4 deletions(-) diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ktls.h b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ktls.h index 07a04a142a2e..0469ca6a0762 100644 --- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ktls.h +++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ktls.h @@ -30,7 +30,9 @@ static inline bool mlx5e_is_ktls_device(struct mlx5_core_dev *mdev) return false; return (MLX5_CAP_TLS(mdev, tls_1_2_aes_gcm_128) || - MLX5_CAP_TLS(mdev, tls_1_2_aes_gcm_256)); + MLX5_CAP_TLS(mdev, tls_1_2_aes_gcm_256) || + MLX5_CAP_TLS(mdev, tls_1_3_aes_gcm_128) || + MLX5_CAP_TLS(mdev, tls_1_3_aes_gcm_256)); } static inline bool mlx5e_ktls_type_check(struct mlx5_core_dev *mdev, @@ -40,10 +42,14 @@ static inline bool mlx5e_ktls_type_check(struct mlx5_core_dev *mdev, case TLS_CIPHER_AES_GCM_128: if (crypto_info->version == TLS_1_2_VERSION) return MLX5_CAP_TLS(mdev, tls_1_2_aes_gcm_128); + else if (crypto_info->version == TLS_1_3_VERSION) + return MLX5_CAP_TLS(mdev, tls_1_3_aes_gcm_128); break; case TLS_CIPHER_AES_GCM_256: if (crypto_info->version == TLS_1_2_VERSION) return MLX5_CAP_TLS(mdev, tls_1_2_aes_gcm_256); + else if (crypto_info->version == TLS_1_3_VERSION) + return MLX5_CAP_TLS(mdev, tls_1_3_aes_gcm_256); break; } diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ktls_txrx.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ktls_txrx.c index 570a912dd6fa..f3f90ad6c6cf 100644 --- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ktls_txrx.c +++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ktls_txrx.c @@ -6,6 +6,7 @@ enum { MLX5E_STATIC_PARAMS_CONTEXT_TLS_1_2 = 0x2, + MLX5E_STATIC_PARAMS_CONTEXT_TLS_1_3 = 0x3, }; enum { @@ -15,8 +16,10 @@ enum { #define EXTRACT_INFO_FIELDS do { \ salt = info->salt; \ rec_seq = info->rec_seq; \ + iv = info->iv; \ salt_sz = sizeof(info->salt); \ rec_seq_sz = sizeof(info->rec_seq); \ + iv_sz = sizeof(info->iv); \ } while (0) static void @@ -25,8 +28,8 @@ fill_static_params(struct mlx5_wqe_tls_static_params_seg *params, u32 key_id, u32 resync_tcp_sn) { char *initial_rn, *gcm_iv; - u16 salt_sz, rec_seq_sz; - char *salt, *rec_seq; + u16 salt_sz, rec_seq_sz, iv_sz; + char *salt, *rec_seq, *iv; u8 tls_version; u8 *ctx; @@ -59,7 +62,12 @@ fill_static_params(struct mlx5_wqe_tls_static_params_seg *params, memcpy(gcm_iv, salt, salt_sz); memcpy(initial_rn, rec_seq, rec_seq_sz); - tls_version = MLX5E_STATIC_PARAMS_CONTEXT_TLS_1_2; + if (crypto_info->crypto_info.version == TLS_1_3_VERSION) { + memcpy(gcm_iv + salt_sz, iv, iv_sz); + tls_version = MLX5E_STATIC_PARAMS_CONTEXT_TLS_1_3; + } else { + tls_version = MLX5E_STATIC_PARAMS_CONTEXT_TLS_1_2; + } MLX5_SET(tls_static_params, ctx, tls_version, tls_version); MLX5_SET(tls_static_params, ctx, const_1, 1); -- 2.25.1