I’ve been following the NVIDIA TLS Offload Guide (NVIDIA TLS Offload Guide - NVIDIA Docs) for kTLS hardware offload testing via OpenSSL.
Despite adhering closely to the instructions, I encountered an issue at the final step. When monitoring kTLS over kernel counters (using
cat /proc/net/tls_stat), I noticed that TlsTxSw and TlsRxSw counters increase with each connection attempt, while TlsTxDevice and TlsRxDevice remain at zero. This suggests that the Tx and Rx connections are opened in software mode, not hardware-offload mode which I wish to be. This is puzzling since I’ve ensured the correct configuration of kTLS, OVS bridges, etc.
I use two hosts equipped with BlueFields, as suggested in the guide, but a potential concern is the difference in kernel versions between my two hosts. One supports only tls-hw-tx-offload (because its kernel version is lower), while the other supports both tls-hw-tx-offload and tls-hw-rx-offload. Could this discrepancy be causing the connections to default to software mode? Would matching the kernel versions on both machines to support both offloads be a solution?
Additionally, both BlueFields are set to embedded CPU function ownership (ECPF) mode, the default for BlueField DPU. Is this configuration appropriate?
If none of these factors are the cause, I would greatly appreciate any insights or suggestions on what else might be going wrong.
Thank you very much in advance for your time and help!