From nobody Fri Oct 3 00:04:46 2025 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4cd86l0CCSz6BMk0; Fri, 03 Oct 2025 00:04:47 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4cd86k1x7sz3t1b; Fri, 03 Oct 2025 00:04:46 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1759449886; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=qmxZ0N4SJMTrfhLd7c4JISdJaJMlTHxJfLRIQyRMnHM=; b=EfNTpG6aAgguiEcCQcXQCbF1fH1gItAkPKY7w+SnDsjKhMREJjt9Dm2e/fXb1ZIjj0Qkux C0p6wD/tp5RTxwW30maYJYdMAtTu144HDWQqbeMC77mnr4Qn8TvDWdXZTSje0T5FF/110s CHgdedgKVpDZxnEJ0OW5b94NO4EjAIBi7pChsCSM3POD4C+D+vK8mNpJe+v4tm01XhQTlj 3VJYqMIAYm8cCkrAETX0WtFBZO8twABaXYsw5oFw1nSb44dpzJWs4MMbqCvvjaUNgR+TPP PQ85N3H15TpWEP9qqn1MHunv5YqEev0mpQExQQLJ4CphD69fPWaTDzKSYUNgzA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1759449886; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=qmxZ0N4SJMTrfhLd7c4JISdJaJMlTHxJfLRIQyRMnHM=; b=JkYMp5EkOkRFzuL4H6gIZYOaFqqmATEfaLeOt0OeXUQ4Plt4ycT5/HenvIABtkXPBVu65C 4L7lf+btxc0DdQ+e0Ie80mxytWG+/ZZoykrygmhm4H4yEToLMP9TX32YTp+DLbuWSOc9fP LNm2qFC89HmFjtcssMwJUcSZrUYAGMj57je88KM4TaR53eHGqkYuitbhbd1QzQ53Z+TRqW R/PuJincfNhTqtBevDyYf0KN5Nn6ioRzDDh+tg1QIOZTM0F3fb+LIOm/OfjsWEyHLmi5Ha BonqKS3IY60r5xtAnf0Q8TYkbD1IKOuDW5rXpQD8Q0BrB1IyWawCkTBAL0bpBQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1759449886; a=rsa-sha256; cv=none; b=pO+H/J4rIxKpwp+/UXGzk9kyJRZxor+u+qoY/Kffyow2IxhPPXWB53nhDP4n2yuyCZLZ/A DXaBUh/UBqyFIO7RcGacDpwE22lHjhtPBWH48DTbATBgXSlIGThGeiiPKi/d2k0S8AJJvg vsnXMKHaWYb660rqJp7e+WhT5/57VP4oEKyV6lgJIIwgxrsVdr002YngovE9zewwaRRrGa bK4Bg2QjMiKc67xzKNpcnit/5mh8emjZ//rDGYfxnvH9Z5vJ9VgJYmhBx18y6kGzpci9NC IMAa72k/aSPAhzuhVvGTwwGzz5GflWG82eX8dABAW0o4qDRzcvpCuZ4uk7VxIw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4cd86k1JCtzVct; Fri, 03 Oct 2025 00:04:46 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 59304ke7057520; Fri, 3 Oct 2025 00:04:46 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 59304kKv057517; Fri, 3 Oct 2025 00:04:46 GMT (envelope-from git) Date: Fri, 3 Oct 2025 00:04:46 GMT Message-Id: <202510030004.59304kKv057517@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Navdeep Parhar Subject: git: f184ef0797b9 - stable/15 - cxgbe TOE TLS: Better support for partial records for T7. List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: np X-Git-Repository: src X-Git-Refname: refs/heads/stable/15 X-Git-Reftype: branch X-Git-Commit: f184ef0797b932512cfeb28192f2f585fb83f0ee Auto-Submitted: auto-generated The branch stable/15 has been updated by np: URL: https://cgit.FreeBSD.org/src/commit/?id=f184ef0797b932512cfeb28192f2f585fb83f0ee commit f184ef0797b932512cfeb28192f2f585fb83f0ee Author: John Baldwin AuthorDate: 2025-09-29 15:06:46 +0000 Commit: Navdeep Parhar CommitDate: 2025-10-02 22:09:08 +0000 cxgbe TOE TLS: Better support for partial records for T7. T7 is able to start TOE TLS receive offload more cleanly if a partial TLS record containing a full header and at least one other byte has been received. In that case it is able to request the remaining bytes for the current TLS record from the NIC. Once those bytes has been received TLS receive offload can then be received starting with the subsequent record. Sponsored by: Chelsio Communications (cherry picked from commit 1e9849415ff9ed958d63bc7e5128c39e991933d2) --- sys/dev/cxgbe/tom/t4_tls.c | 165 +++++++++++++++++++++++++++++++-------------- 1 file changed, 114 insertions(+), 51 deletions(-) diff --git a/sys/dev/cxgbe/tom/t4_tls.c b/sys/dev/cxgbe/tom/t4_tls.c index 0e15a8ec6871..bc12d1f773a9 100644 --- a/sys/dev/cxgbe/tom/t4_tls.c +++ b/sys/dev/cxgbe/tom/t4_tls.c @@ -1091,33 +1091,60 @@ out: } /* - * Send a work request setting multiple TCB fields to enable - * ULP_MODE_TLS. + * Send a work request setting one or more TCB fields to partially or + * fully enable ULP_MODE_TLS. + * + * - If resid == 0, the socket buffer ends at a record boundary + * (either empty or contains one or more complete records). Switch + * to ULP_MODE_TLS (if not already) and enable TLS decryption. + * + * - If resid != 0, the socket buffer contains a partial record. In + * this case, switch to ULP_MODE_TLS partially and configure the TCB + * to pass along the remaining resid bytes undecrypted. Once they + * arrive, this is called again with resid == 0 and enables TLS + * decryption. */ static void -tls_update_tcb(struct adapter *sc, struct toepcb *toep, uint64_t seqno) +tls_update_tcb(struct adapter *sc, struct toepcb *toep, uint64_t seqno, + size_t resid) { struct mbuf *m; struct work_request_hdr *wrh; struct ulp_txpkt *ulpmc; int fields, key_offset, len; - KASSERT(ulp_mode(toep) == ULP_MODE_NONE, - ("%s: tid %d already ULP_MODE_TLS", __func__, toep->tid)); + /* + * If we are already in ULP_MODE_TLS, then we should now be at + * a record boundary and ready to finish enabling TLS RX. + */ + KASSERT(resid == 0 || ulp_mode(toep) == ULP_MODE_NONE, + ("%s: tid %d needs %zu more data but already ULP_MODE_TLS", + __func__, toep->tid, resid)); fields = 0; + if (ulp_mode(toep) == ULP_MODE_NONE) { + /* 2 writes for the overlay region */ + fields += 2; + } - /* 2 writes for the overlay region */ - fields += 2; + if (resid == 0) { + /* W_TCB_TLS_SEQ */ + fields++; - /* W_TCB_TLS_SEQ */ - fields++; + /* W_TCB_ULP_RAW */ + fields++; + } else { + /* W_TCB_PDU_LEN */ + fields++; - /* W_TCB_ULP_RAW */ - fields++; + /* W_TCB_ULP_RAW */ + fields++; + } - /* W_TCB_ULP_TYPE */ - fields ++; + if (ulp_mode(toep) == ULP_MODE_NONE) { + /* W_TCB_ULP_TYPE */ + fields ++; + } /* W_TCB_T_FLAGS */ fields++; @@ -1136,43 +1163,78 @@ tls_update_tcb(struct adapter *sc, struct toepcb *toep, uint64_t seqno) INIT_ULPTX_WRH(wrh, len, 1, toep->tid); /* atomic */ ulpmc = (struct ulp_txpkt *)(wrh + 1); - /* - * Clear the TLS overlay region: 1023:832. - * - * Words 26/27 are always set to zero. Words 28/29 - * contain seqno and are set when enabling TLS - * decryption. Word 30 is zero and Word 31 contains - * the keyid. - */ - ulpmc = mk_set_tcb_field_ulp(sc, ulpmc, toep->tid, 26, - 0xffffffffffffffff, 0); + if (ulp_mode(toep) == ULP_MODE_NONE) { + /* + * Clear the TLS overlay region: 1023:832. + * + * Words 26/27 are always set to zero. Words 28/29 + * contain seqno and are set when enabling TLS + * decryption. Word 30 is zero and Word 31 contains + * the keyid. + */ + ulpmc = mk_set_tcb_field_ulp(sc, ulpmc, toep->tid, 26, + 0xffffffffffffffff, 0); - /* - * RX key tags are an index into the key portion of MA - * memory stored as an offset from the base address in - * units of 64 bytes. - */ - key_offset = toep->tls.rx_key_addr - sc->vres.key.start; - ulpmc = mk_set_tcb_field_ulp(sc, ulpmc, toep->tid, 30, - 0xffffffffffffffff, - (uint64_t)V_TCB_RX_TLS_KEY_TAG(key_offset / 64) << 32); - - CTR3(KTR_CXGBE, "%s: tid %d enable TLS seqno %lu", __func__, - toep->tid, seqno); - ulpmc = mk_set_tcb_field_ulp(sc, ulpmc, toep->tid, W_TCB_RX_TLS_SEQ, - V_TCB_RX_TLS_SEQ(M_TCB_RX_TLS_SEQ), V_TCB_RX_TLS_SEQ(seqno)); - ulpmc = mk_set_tcb_field_ulp(sc, ulpmc, toep->tid, W_TCB_ULP_RAW, - V_TCB_ULP_RAW(M_TCB_ULP_RAW), - V_TCB_ULP_RAW((V_TF_TLS_KEY_SIZE(3) | V_TF_TLS_CONTROL(1) | - V_TF_TLS_ACTIVE(1) | V_TF_TLS_ENABLE(1)))); - - toep->flags &= ~TPF_TLS_STARTING; - toep->flags |= TPF_TLS_RECEIVE; - - /* Set the ULP mode to ULP_MODE_TLS. */ - toep->params.ulp_mode = ULP_MODE_TLS; - ulpmc = mk_set_tcb_field_ulp(sc, ulpmc, toep->tid, W_TCB_ULP_TYPE, - V_TCB_ULP_TYPE(M_TCB_ULP_TYPE), V_TCB_ULP_TYPE(ULP_MODE_TLS)); + /* + * RX key tags are an index into the key portion of MA + * memory stored as an offset from the base address in + * units of 64 bytes. + */ + key_offset = toep->tls.rx_key_addr - sc->vres.key.start; + ulpmc = mk_set_tcb_field_ulp(sc, ulpmc, toep->tid, 30, + 0xffffffffffffffff, + (uint64_t)V_TCB_RX_TLS_KEY_TAG(key_offset / 64) << 32); + } + + if (resid == 0) { + /* + * The socket buffer is empty or only contains + * complete TLS records: Set the sequence number and + * enable TLS decryption. + */ + CTR3(KTR_CXGBE, "%s: tid %d enable TLS seqno %lu", __func__, + toep->tid, seqno); + ulpmc = mk_set_tcb_field_ulp(sc, ulpmc, toep->tid, + W_TCB_RX_TLS_SEQ, V_TCB_RX_TLS_SEQ(M_TCB_RX_TLS_SEQ), + V_TCB_RX_TLS_SEQ(seqno)); + ulpmc = mk_set_tcb_field_ulp(sc, ulpmc, toep->tid, + W_TCB_ULP_RAW, V_TCB_ULP_RAW(M_TCB_ULP_RAW), + V_TCB_ULP_RAW((V_TF_TLS_KEY_SIZE(3) | V_TF_TLS_CONTROL(1) | + V_TF_TLS_ACTIVE(1) | V_TF_TLS_ENABLE(1)))); + + toep->flags &= ~TPF_TLS_STARTING; + toep->flags |= TPF_TLS_RECEIVE; + } else { + /* + * The socket buffer ends with a partial record with a + * full header and needs at least 6 bytes. + * + * Set PDU length. This is treating the 'resid' bytes + * as a TLS PDU, so the first 5 bytes are a fake + * header and the rest are the PDU length. + */ + ulpmc = mk_set_tcb_field_ulp(sc, ulpmc, toep->tid, + W_TCB_PDU_LEN, V_TCB_PDU_LEN(M_TCB_PDU_LEN), + V_TCB_PDU_LEN(resid - sizeof(struct tls_hdr))); + CTR3(KTR_CXGBE, "%s: tid %d setting PDU_LEN to %zu", + __func__, toep->tid, resid - sizeof(struct tls_hdr)); + + /* Clear all bits in ULP_RAW except for ENABLE. */ + ulpmc = mk_set_tcb_field_ulp(sc, ulpmc, toep->tid, + W_TCB_ULP_RAW, V_TCB_ULP_RAW(M_TCB_ULP_RAW), + V_TCB_ULP_RAW(V_TF_TLS_ENABLE(1))); + + /* Wait for 'resid' bytes to be delivered as CPL_RX_DATA. */ + toep->tls.rx_resid = resid; + } + + if (ulp_mode(toep) == ULP_MODE_NONE) { + /* Set the ULP mode to ULP_MODE_TLS. */ + toep->params.ulp_mode = ULP_MODE_TLS; + ulpmc = mk_set_tcb_field_ulp(sc, ulpmc, toep->tid, + W_TCB_ULP_TYPE, V_TCB_ULP_TYPE(M_TCB_ULP_TYPE), + V_TCB_ULP_TYPE(ULP_MODE_TLS)); + } /* Clear TF_RX_QUIESCE. */ ulpmc = mk_set_tcb_field_ulp(sc, ulpmc, toep->tid, W_TCB_T_FLAGS, @@ -1205,7 +1267,8 @@ tls_check_rx_sockbuf(struct adapter *sc, struct toepcb *toep, * size of a TLS record, re-enable receive and pause again once * we get more data to try again. */ - if (!have_header || resid != 0) { + if (!have_header || (resid != 0 && (resid < sizeof(struct tls_hdr) || + is_t6(sc)))) { CTR(KTR_CXGBE, "%s: tid %d waiting for more data", __func__, toep->tid); toep->flags &= ~TPF_TLS_RX_QUIESCED; @@ -1213,7 +1276,7 @@ tls_check_rx_sockbuf(struct adapter *sc, struct toepcb *toep, return; } - tls_update_tcb(sc, toep, seqno); + tls_update_tcb(sc, toep, seqno, resid); } void