ConnectX-6 and kTLS

service_nvidia · February 19, 2025, 11:41pm

I am a bit confused on the ConnectX-6 DX cards. From NVidias home page resources you can see that they mention that the TLS offloading crypto engine is available without differentiating between cards;

NVIDIA ConnectX-6 Dx Network Adapters | NVIDIA “IPsec and TLS in-line crypto and block crypto acceleration”
https://www.nvidia.com/content/dam/en-zz/Solutions/networking/ethernet-adapters/connectX-6-dx-datasheet.pdf “Inline hardware TLS encryption and decryption AES-GCM 128/256-bit key”

However looking at the following resource:
https://docs.nvidia.com/networking/display/connectx6dxen

It would seem like the following models are designated as “No Crypto”;

MCX623105AN-CDAT
MCX623106AN-CDAT
MCX623106AS-CDAT

So… what gives? Which ConnectX-6 DX cards have kTLS support and why is it not clearly presented on the product page?

I bought a ConnectX-6 adapter, running the required kernel versions and software, latest firmware, and getting the following:

tls-hw-tx-offload: off [fixed]
tls-hw-rx-offload: off [fixed]
tls-hw-record: off [fixed]

Bit… disappointing?

08:00.0 Ethernet controller: Mellanox Technologies MT2892 Family [ConnectX-6 Dx]

MvB · March 1, 2025, 1:57am

Hello Service_NVIDIA,

Thank you for posting your inquiry on the NVIDIA Developer Forum - Infrastructure and Networking - Section.

Unfortunately only the ConnectX-6 Dx Crypto versions support kTLS offload, as mentioned in the MLNX_OFED UG → Kernel Transport Layer Security (kTLS) Offloads - NVIDIA Docs

The following link provides the information which ConnectX-6 Dx OPNs have crypto functionality → NVIDIA ConnectX-6 Dx Ethernet Adapter Cards User Manual - NVIDIA Docs

Thank you and regards,
~NVIDIA Networking Technical Support

service_nvidia · March 10, 2025, 9:22pm

Thank you. I have successfully flashed the MCX623106AC-CDA_Ax firmware to the card. The card as far as I can see is identical down to the caps to the hardware I have. Literally identical. I am suspecting there is an EEPROM bit set which explicitly disables this functionality. Would there be any unsupported option which I can try with mlxconfig set_raw on the device to force enable the CRYPTO_ENGINE?

mlxconfig -d /dev/mst/mt4125_pciconf0 set DATA_CRYPTO_ENGINE=ENABLED

Device #1:

Device type: ConnectX6DX
Name: MCX623106AC-CDA_Ax
Description: ConnectX-6 Dx EN adapter card; 100GbE; Dual-port QSFP56; PCIe 4.0 x16; Crypto and Secure Boot
Device: /dev/mst/mt4125_pciconf0

Configurations: Next Boot New
-E- The Device doesn’t support DATA_CRYPTO_ENGINE parameter

Thanks!

Topic		Replies	Views
Mellanox Connectx-6 DX TLS Offload issue Ethernet Adapter Cards	2	178	February 8, 2025
Does connectX-6-dx card support TLS offloading with AES256 and TLS 1.3? Ethernet Adapter Cards	1	1206	March 21, 2023
IPSec Offload in ConnectX-6 NIC Mellanox OFED	3	1111	January 25, 2024
Connectx-6DX Flow Hardware Offload Ethernet Adapter Cards	4	999	February 2, 2024
Difference between ConnectX-6 DX and ConnectX-6 VPI cards Ethernet Adapter Cards	2	1033	August 16, 2024
How to flash a generic firmware to ConnectX6-DX board? Mellanox OFED	8	1431	December 16, 2023
Non-Standard ConnectX-6 Dx Firmware Ethernet Adapter Cards	7	2024	January 5, 2024
How to enable IPsec crypto offload on CX6? Ethernet Adapter Cards	2	765	January 3, 2024
Flowtable NAT Hardware Offload on ConnectX-5 cards Ethernet Adapter Cards offload-features	2	1405	June 19, 2023
Does ConnectX-6 Dx and Lx support ATS and PRI Ethernet Adapter Cards	3	1714	May 24, 2023

ConnectX-6 and kTLS

mlxconfig -d /dev/mst/mt4125_pciconf0 set DATA_CRYPTO_ENGINE=ENABLED

Device #1:

Related topics