[PATCH 1/3] xfrm: extend ESP offload infrastructure for packet engines
Jihong Min
hurryman2212 at gmail.com
Sat May 23 05:15:20 PDT 2026
Some ESP offload engines operate on whole ESP packets rather than the
generic software trailer layout. They can generate outbound ESP padding,
next-header and ICV bytes in hardware, and inbound decapsulation can
return an already-trimmed packet with the recovered next-header value.
Add a netdev offload callback for drivers to opt into hardware-generated
ESP TX trailers, carry the reserved ESP TX tail length in xfrm_offload,
and let ESP input skip software trailer removal when hardware has already
done it.
This keeps the default ESP offload behavior unchanged for existing devices
while providing the infrastructure needed by packet-mode ESP engines.
Assisted-by: Codex:gpt-5.5
Signed-off-by: Jihong Min <hurryman2212 at gmail.com>
---
include/linux/netdevice.h | 3 +++
include/net/xfrm.h | 8 +++++++-
net/ipv4/esp4.c | 6 +++++-
net/ipv4/esp4_offload.c | 29 ++++++++++++++++++++++++++++-
net/ipv6/esp6.c | 6 +++++-
net/ipv6/esp6_offload.c | 29 ++++++++++++++++++++++++++++-
6 files changed, 76 insertions(+), 5 deletions(-)
diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h
index 0e1e581efc5a..b6ff04c3df78 100644
--- a/include/linux/netdevice.h
+++ b/include/linux/netdevice.h
@@ -1043,6 +1043,9 @@ struct xfrmdev_ops {
struct xfrm_state *x);
bool (*xdo_dev_offload_ok) (struct sk_buff *skb,
struct xfrm_state *x);
+ /* Return true when the device generates the ESP trailer/ICV itself. */
+ bool (*xdo_dev_esp_tx_hw_trailer)(struct sk_buff *skb,
+ struct xfrm_state *x);
void (*xdo_dev_state_advance_esn) (struct xfrm_state *x);
void (*xdo_dev_state_update_stats) (struct xfrm_state *x);
int (*xdo_dev_policy_add) (struct xfrm_policy *x, struct netlink_ext_ack *extack);
diff --git a/include/net/xfrm.h b/include/net/xfrm.h
index 10d3edde6b2f..160069901e0a 100644
--- a/include/net/xfrm.h
+++ b/include/net/xfrm.h
@@ -1141,7 +1141,7 @@ struct xfrm_offload {
#define CRYPTO_FALLBACK 8
#define XFRM_GSO_SEGMENT 16
#define XFRM_GRO 32
-/* 64 is free */
+#define XFRM_ESP_NO_TRAILER 64
#define XFRM_DEV_RESUME 128
#define XFRM_XMIT 256
@@ -1158,6 +1158,12 @@ struct xfrm_offload {
/* Used to keep whole l2 header for transport mode GRO */
__u16 orig_mac_len;
+ /*
+ * ESP packet engines can reserve tailroom in the generic ESP path and
+ * generate padding, next-header and ICV bytes during device TX.
+ */
+ __u16 esp_tx_tailen;
+
__u8 proto;
__u8 inner_ipproto;
};
diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c
index 6a5febbdbee4..f21c8f2e60f7 100644
--- a/net/ipv4/esp4.c
+++ b/net/ipv4/esp4.c
@@ -720,7 +720,11 @@ int esp_input_done2(struct sk_buff *skb, int err)
if (unlikely(err))
goto out;
- err = esp_remove_trailer(skb);
+ /* Hardware ESP decapsulation can already remove pad/trailer/ICV. */
+ if (xo && (xo->flags & XFRM_ESP_NO_TRAILER))
+ err = xo->proto;
+ else
+ err = esp_remove_trailer(skb);
if (unlikely(err < 0))
goto out;
diff --git a/net/ipv4/esp4_offload.c b/net/ipv4/esp4_offload.c
index abd77162f5e7..f00fff98b69f 100644
--- a/net/ipv4/esp4_offload.c
+++ b/net/ipv4/esp4_offload.c
@@ -270,8 +270,10 @@ static int esp_xmit(struct xfrm_state *x, struct sk_buff *skb, netdev_features_
struct xfrm_offload *xo;
struct ip_esp_hdr *esph;
struct crypto_aead *aead;
+ struct sk_buff *trailer;
struct esp_info esp;
bool hw_offload = true;
+ bool hw_trailer = false;
__u32 seq;
int encap_type = 0;
@@ -281,6 +283,7 @@ static int esp_xmit(struct xfrm_state *x, struct sk_buff *skb, netdev_features_
if (!xo)
return -EINVAL;
+ xo->esp_tx_tailen = 0;
if ((!(features & NETIF_F_HW_ESP) &&
!(skb->dev->gso_partial_features & NETIF_F_HW_ESP)) ||
@@ -303,13 +306,37 @@ static int esp_xmit(struct xfrm_state *x, struct sk_buff *skb, netdev_features_
esp.clen = ALIGN(skb->len + 2 + esp.tfclen, blksize);
esp.plen = esp.clen - skb->len - esp.tfclen;
esp.tailen = esp.tfclen + esp.plen + alen;
+ if (esp.tailen > U16_MAX)
+ return -EINVAL;
esp.esph = ip_esp_hdr(skb);
if (x->encap)
encap_type = x->encap->encap_type;
- if (!hw_offload || !skb_is_gso(skb) || (hw_offload && encap_type == UDP_ENCAP_ESPINUDP)) {
+ if (hw_offload && !skb_is_gso(skb) && !encap_type && x->xso.dev &&
+ x->xso.dev->xfrmdev_ops &&
+ x->xso.dev->xfrmdev_ops->xdo_dev_esp_tx_hw_trailer)
+ hw_trailer =
+ x->xso.dev->xfrmdev_ops->xdo_dev_esp_tx_hw_trailer(skb, x);
+
+ if (hw_trailer) {
+ int esph_offset;
+
+ /*
+ * The device packet engine will write ESP padding, next-header
+ * and ICV bytes. Keep skb->len unchanged here, but make sure the
+ * later DMA writer owns enough linear tailroom.
+ */
+ esph_offset = (unsigned char *)esp.esph - skb_transport_header(skb);
+ esp.nfrags = skb_cow_data(skb, esp.tailen, &trailer);
+ if (esp.nfrags < 0)
+ return esp.nfrags;
+ esp.esph = (struct ip_esp_hdr *)(skb_transport_header(skb) +
+ esph_offset);
+ xo->esp_tx_tailen = esp.tailen;
+ } else if (!hw_offload || !skb_is_gso(skb) ||
+ (hw_offload && encap_type == UDP_ENCAP_ESPINUDP)) {
esp.nfrags = esp_output_head(x, skb, &esp);
if (esp.nfrags < 0)
return esp.nfrags;
diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c
index 9c06c5a1419d..730588f8eaba 100644
--- a/net/ipv6/esp6.c
+++ b/net/ipv6/esp6.c
@@ -751,7 +751,11 @@ int esp6_input_done2(struct sk_buff *skb, int err)
if (unlikely(err))
goto out;
- err = esp_remove_trailer(skb);
+ /* Hardware ESP decapsulation can already remove pad/trailer/ICV. */
+ if (xo && (xo->flags & XFRM_ESP_NO_TRAILER))
+ err = xo->proto;
+ else
+ err = esp_remove_trailer(skb);
if (unlikely(err < 0))
goto out;
diff --git a/net/ipv6/esp6_offload.c b/net/ipv6/esp6_offload.c
index 22895521a57d..d124493da40b 100644
--- a/net/ipv6/esp6_offload.c
+++ b/net/ipv6/esp6_offload.c
@@ -308,8 +308,10 @@ static int esp6_xmit(struct xfrm_state *x, struct sk_buff *skb, netdev_features
int blksize;
struct xfrm_offload *xo;
struct crypto_aead *aead;
+ struct sk_buff *trailer;
struct esp_info esp;
bool hw_offload = true;
+ bool hw_trailer = false;
__u32 seq;
esp.inplace = true;
@@ -318,6 +320,7 @@ static int esp6_xmit(struct xfrm_state *x, struct sk_buff *skb, netdev_features
if (!xo)
return -EINVAL;
+ xo->esp_tx_tailen = 0;
if (!(features & NETIF_F_HW_ESP) || x->xso.dev != skb->dev) {
xo->flags |= CRYPTO_FALLBACK;
@@ -338,8 +341,32 @@ static int esp6_xmit(struct xfrm_state *x, struct sk_buff *skb, netdev_features
esp.clen = ALIGN(skb->len + 2 + esp.tfclen, blksize);
esp.plen = esp.clen - skb->len - esp.tfclen;
esp.tailen = esp.tfclen + esp.plen + alen;
+ if (esp.tailen > U16_MAX)
+ return -EINVAL;
- if (!hw_offload || !skb_is_gso(skb)) {
+ if (hw_offload && !skb_is_gso(skb) && !x->encap && x->xso.dev &&
+ x->xso.dev->xfrmdev_ops &&
+ x->xso.dev->xfrmdev_ops->xdo_dev_esp_tx_hw_trailer)
+ hw_trailer =
+ x->xso.dev->xfrmdev_ops->xdo_dev_esp_tx_hw_trailer(skb, x);
+
+ if (hw_trailer) {
+ int esph_offset;
+
+ /*
+ * The device packet engine will write ESP padding, next-header
+ * and ICV bytes. Keep skb->len unchanged here, but make sure the
+ * later DMA writer owns enough linear tailroom.
+ */
+ esp.esph = ip_esp_hdr(skb);
+ esph_offset = (unsigned char *)esp.esph - skb_transport_header(skb);
+ esp.nfrags = skb_cow_data(skb, esp.tailen, &trailer);
+ if (esp.nfrags < 0)
+ return esp.nfrags;
+ esp.esph = (struct ip_esp_hdr *)(skb_transport_header(skb) +
+ esph_offset);
+ xo->esp_tx_tailen = esp.tailen;
+ } else if (!hw_offload || !skb_is_gso(skb)) {
esp.nfrags = esp6_output_head(x, skb, &esp);
if (esp.nfrags < 0)
return esp.nfrags;
--
2.53.0
More information about the linux-arm-kernel
mailing list