I am evaluating TLS offload functionality on a network adapter based on the Mellanox Technologies MT2892 family (ConnectX-6 Dx). The device is running the following firmware:
Firmware Version: 22.44.1036
PSID: Dell OEM
While attempting to configure TLS offload, I noticed that no TLS-related capabilities (such as TLS inline offload or crypto acceleration) appear in mlxconfig, ethtool -k, or under /sys/class/infiniband/.../device/. I also reviewed available documentation but was unable to find an authoritative reference stating whether this specific OEM PSID supports TLS offload.
I would like to request clarification on the following:
Does the Mellanox MT2892 / ConnectX-6 Dx adapter support TLS hardware offload?
If TLS offload is supported, what are the required configuration steps to enable or disable it?
If this PSID does not include TLS offload capability, is there an officially supported firmware or PSID variant that does?
Any official documentation or guidance would be greatly appreciated.
MT2892 is the PCI device family for ConnectX‑6 Dx, but whether your specific board supports TLS offload depends on:
The board OPN (part number), e.g. MCX623106AC‑CDAT vs MCX623106AN‑CDAT, you can find in:
For OEM PSIDs, NVIDIA cannot definitively say from our side whether TLS offload is enabled or disabled in the OEM firmware. But you can quickly check it yourself with two steps:
Check if the board is a Crypto SKU (TLS/IPsec prerequisite)
Run: flint -d q | grep -i crypto
Example (NVIDIA retail card):
# flint -d /dev/mst/mt4127_pciconf0 dc |grep Crypto
;;Description = ConnectX-6 Lx EN adapter card; 25GbE ; Dual-port SFP28; PCIe 4.0 x8; No Crypto
If the description says “Crypto and Secure Boot”, it’s a crypto‑enabled CX‑6 Dx and can, in principle, support TLS/IPsec offload.
If it says “No Crypto”, that SKU does not have the crypto engine enabled, so TLS offload is not supported, even though it’s still MT2892 / ConnectX‑6 Dx.
Check whether the driver actually sees TLS offload
If the board is crypto‑enabled, check the TLS features on the host: ethtool -k | grep tls
Typical cases:
TLS fields present and not [fixed]: tls-hw-tx-offload: off tls-hw-rx-offload: off
→ You can turn them on with:
ethtool --offload tls-hw-tx-offload on ethtool --offload tls-hw-rx-offload on
and then configure kTLS / DOCA as in the DOCA TLS Offload Guide:
TLS fields show up as off [fixed] or are missing entirely (while kernel/driver versions are new enough):
tls-hw-tx-offload: off [fixed] tls-hw-rx-offload: off [fixed]
→ In that case, the current firmware/PSID does not expose TLS offload to the host, even if the underlying MT2892 silicon could support it.
For OEM adapters (e.g. Dell PSID), the exposed feature set (including TLS / kTLS / IPsec offload) is fully controlled by the OEM firmware. If your card is crypto‑capable but tls-hw-* is still off [fixed], the next step is to contact the OEM and ask whether they provide a TLS‑enabled firmware or a different SKU that supports TLS offload.