cachepc-linux

Fork of AMDESE/linux with modifications for CachePC side-channel attack
git clone https://git.sinitax.com/sinitax/cachepc-linux
Log | Files | Refs | README | LICENSE | sfeed.txt

checksum-offloads.rst (6456B)


      1.. SPDX-License-Identifier: GPL-2.0
      2
      3=================
      4Checksum Offloads
      5=================
      6
      7
      8Introduction
      9============
     10
     11This document describes a set of techniques in the Linux networking stack to
     12take advantage of checksum offload capabilities of various NICs.
     13
     14The following technologies are described:
     15
     16* TX Checksum Offload
     17* LCO: Local Checksum Offload
     18* RCO: Remote Checksum Offload
     19
     20Things that should be documented here but aren't yet:
     21
     22* RX Checksum Offload
     23* CHECKSUM_UNNECESSARY conversion
     24
     25
     26TX Checksum Offload
     27===================
     28
     29The interface for offloading a transmit checksum to a device is explained in
     30detail in comments near the top of include/linux/skbuff.h.
     31
     32In brief, it allows to request the device fill in a single ones-complement
     33checksum defined by the sk_buff fields skb->csum_start and skb->csum_offset.
     34The device should compute the 16-bit ones-complement checksum (i.e. the
     35'IP-style' checksum) from csum_start to the end of the packet, and fill in the
     36result at (csum_start + csum_offset).
     37
     38Because csum_offset cannot be negative, this ensures that the previous value of
     39the checksum field is included in the checksum computation, thus it can be used
     40to supply any needed corrections to the checksum (such as the sum of the
     41pseudo-header for UDP or TCP).
     42
     43This interface only allows a single checksum to be offloaded.  Where
     44encapsulation is used, the packet may have multiple checksum fields in
     45different header layers, and the rest will have to be handled by another
     46mechanism such as LCO or RCO.
     47
     48CRC32c can also be offloaded using this interface, by means of filling
     49skb->csum_start and skb->csum_offset as described above, and setting
     50skb->csum_not_inet: see skbuff.h comment (section 'D') for more details.
     51
     52No offloading of the IP header checksum is performed; it is always done in
     53software.  This is OK because when we build the IP header, we obviously have it
     54in cache, so summing it isn't expensive.  It's also rather short.
     55
     56The requirements for GSO are more complicated, because when segmenting an
     57encapsulated packet both the inner and outer checksums may need to be edited or
     58recomputed for each resulting segment.  See the skbuff.h comment (section 'E')
     59for more details.
     60
     61A driver declares its offload capabilities in netdev->hw_features; see
     62Documentation/networking/netdev-features.rst for more.  Note that a device
     63which only advertises NETIF_F_IP[V6]_CSUM must still obey the csum_start and
     64csum_offset given in the SKB; if it tries to deduce these itself in hardware
     65(as some NICs do) the driver should check that the values in the SKB match
     66those which the hardware will deduce, and if not, fall back to checksumming in
     67software instead (with skb_csum_hwoffload_help() or one of the
     68skb_checksum_help() / skb_crc32c_csum_help functions, as mentioned in
     69include/linux/skbuff.h).
     70
     71The stack should, for the most part, assume that checksum offload is supported
     72by the underlying device.  The only place that should check is
     73validate_xmit_skb(), and the functions it calls directly or indirectly.  That
     74function compares the offload features requested by the SKB (which may include
     75other offloads besides TX Checksum Offload) and, if they are not supported or
     76enabled on the device (determined by netdev->features), performs the
     77corresponding offload in software.  In the case of TX Checksum Offload, that
     78means calling skb_csum_hwoffload_help(skb, features).
     79
     80
     81LCO: Local Checksum Offload
     82===========================
     83
     84LCO is a technique for efficiently computing the outer checksum of an
     85encapsulated datagram when the inner checksum is due to be offloaded.
     86
     87The ones-complement sum of a correctly checksummed TCP or UDP packet is equal
     88to the complement of the sum of the pseudo header, because everything else gets
     89'cancelled out' by the checksum field.  This is because the sum was
     90complemented before being written to the checksum field.
     91
     92More generally, this holds in any case where the 'IP-style' ones complement
     93checksum is used, and thus any checksum that TX Checksum Offload supports.
     94
     95That is, if we have set up TX Checksum Offload with a start/offset pair, we
     96know that after the device has filled in that checksum, the ones complement sum
     97from csum_start to the end of the packet will be equal to the complement of
     98whatever value we put in the checksum field beforehand.  This allows us to
     99compute the outer checksum without looking at the payload: we simply stop
    100summing when we get to csum_start, then add the complement of the 16-bit word
    101at (csum_start + csum_offset).
    102
    103Then, when the true inner checksum is filled in (either by hardware or by
    104skb_checksum_help()), the outer checksum will become correct by virtue of the
    105arithmetic.
    106
    107LCO is performed by the stack when constructing an outer UDP header for an
    108encapsulation such as VXLAN or GENEVE, in udp_set_csum().  Similarly for the
    109IPv6 equivalents, in udp6_set_csum().
    110
    111It is also performed when constructing an IPv4 GRE header, in
    112net/ipv4/ip_gre.c:build_header().  It is *not* currently performed when
    113constructing an IPv6 GRE header; the GRE checksum is computed over the whole
    114packet in net/ipv6/ip6_gre.c:ip6gre_xmit2(), but it should be possible to use
    115LCO here as IPv6 GRE still uses an IP-style checksum.
    116
    117All of the LCO implementations use a helper function lco_csum(), in
    118include/linux/skbuff.h.
    119
    120LCO can safely be used for nested encapsulations; in this case, the outer
    121encapsulation layer will sum over both its own header and the 'middle' header.
    122This does mean that the 'middle' header will get summed multiple times, but
    123there doesn't seem to be a way to avoid that without incurring bigger costs
    124(e.g. in SKB bloat).
    125
    126
    127RCO: Remote Checksum Offload
    128============================
    129
    130RCO is a technique for eliding the inner checksum of an encapsulated datagram,
    131allowing the outer checksum to be offloaded.  It does, however, involve a
    132change to the encapsulation protocols, which the receiver must also support.
    133For this reason, it is disabled by default.
    134
    135RCO is detailed in the following Internet-Drafts:
    136
    137* https://tools.ietf.org/html/draft-herbert-remotecsumoffload-00
    138* https://tools.ietf.org/html/draft-herbert-vxlan-rco-00
    139
    140In Linux, RCO is implemented individually in each encapsulation protocol, and
    141most tunnel types have flags controlling its use.  For instance, VXLAN has the
    142flag VXLAN_F_REMCSUM_TX (per struct vxlan_rdst) to indicate that RCO should be
    143used when transmitting to a given remote destination.