On Tue, 14 Jul 2020 01:15:26 +0300 Boris Pismenny wrote: > On 13/07/2020 22:05, David Miller wrote: > > The TLS signatures are supposed to be even stronger than the protocol > > checksum, and therefore we should send out valid ones rather than > > incorrect ones. > > Right, but one is on packet payload, while the other is part of the payload. > > > Why can't the device generate the correct TLS signature when > > offloading? Just like for the protocol checksum, the device should > > load the payload into the device over DMA and make it's calculations > > on that copy. > > Right. The problematic case is when some part of the record is already > received by the other party, and then some (modified) data including > the TLS authentication tag is re-transmitted. > The modified tag is calculated over the new data, while the other party > will use the already received old data, resulting in authentication error. > > > For SW kTLS, we must copy. Potentially sending out garbage signatures > > in a packet cannot be an "option". > > Obviously, SW kTLS must encrypt the data into a different kernel buffer, > which is the same as copying for that matter. TLS_DEVICE doesn't require this.
This proposal is one big attrition of requirements, which I personally dislike quite a bit. Nothing material has changed since the first version of the code was upstreamed, let's ask ourselves - why was the knob not part of the initial submission?
