From: Dave Watson <davejwatson@fb.com>
To: "David S. Miller" <davem@davemloft.net>,
Tom Herbert <tom@quantonium.net>,
Alexei Starovoitov <alexei.starovoitov@gmail.com>,
<herbert@gondor.apana.org.au>, <linux-crypto@vger.kernel.org>,
<netdev@vger.kernel.org>, <ilyal@mellanox.com>,
<borisp@mellanox.com>
Cc: Atul Gupta <atul.gupta@chelsio.com>,
Vakul Garg <vakul.garg@nxp.com>,
Hannes Frederic Sowa <hannes@stressinduktion.org>,
Steffen Klassert <steffen.klassert@secunet.com>,
John Fastabend <john.fastabend@gmail.com>,
Daniel Borkmann <daniel@iogearbox.net>
Subject: [PATCH RFC 0/5] TLX Rx
Date: Thu, 8 Mar 2018 08:49:56 -0800 [thread overview]
Message-ID: <20180308164956.GA18597@davejwatson-mba> (raw)
TLS tcp socket RX implementation, to match existing TX code.
This patchset completes the software TLS socket, allowing full
bi-directional communication over TLS using normal socket syscalls,
after the handshake has been done in userspace. Only the symmetric
encryption is done in the kernel.
This allows usage of TLS sockets from within the kernel (for example
with network block device, or from bpf). Performance can be better
than userspace, with appropriate crypto routines [1].
sk->sk_socket->ops must be overridden to implement splice_read and
poll, but otherwise the interface & implementation match TX closely.
strparser is used to parse TLS framing on receive.
There are Openssl RX patches that work with this interface [2], as
well as a testing tool using the socket interface directly (without
cmsg support) [3]. An example tcp socket setup is:
// Normal tcp socket connect/accept, and TLS handshake
// using any TLS library.
setsockopt(sock, SOL_TCP, TCP_ULP, "tls", sizeof("tls"));
struct tls12_crypto_info_aes_gcm_128 crypto_info_rx;
// Fill in crypto_info based on negotiated keys.
setsockopt(sock, SOL_TLS, TLS_RX, &crypto_info, sizeof(crypto_info_rx));
// You can optionally TLX_TX as well.
char buffer[16384];
int ret = recv(sock, buffer, 16384);
// cmsg can be received using recvmsg and a msg_control
// of type TLS_GET_RECORD_TYPE will be set.
[1] Recent crypto patchset to remove copies, resulting in optimally
zero copies vs. userspace's one, vs. previous kernel's two.
https://marc.info/?l=linux-crypto-vger&m=151931242406416&w=2
[2] https://github.com/Mellanox/openssl/commits/tls_rx
[3] https://github.com/ktls/af_ktls-tool/tree/RX
Dave Watson (5):
tls: Generalize zerocopy_from_iter
tls: Move cipher info to a separate struct
tls: Pass error code explicitly to tls_err_abort
tls: RX path for ktls
tls: Add receive path documentation
Documentation/networking/tls.txt | 59 +++-
include/net/tls.h | 59 +++-
include/uapi/linux/tls.h | 2 +
net/tls/Kconfig | 1 +
net/tls/tls_main.c | 70 ++++-
net/tls/tls_sw.c | 631 ++++++++++++++++++++++++++++++++++-----
6 files changed, 708 insertions(+), 114 deletions(-)
--
2.9.5
reply other threads:[~2018-03-08 16:50 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180308164956.GA18597@davejwatson-mba \
--to=davejwatson@fb.com \
--cc=alexei.starovoitov@gmail.com \
--cc=atul.gupta@chelsio.com \
--cc=borisp@mellanox.com \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=hannes@stressinduktion.org \
--cc=herbert@gondor.apana.org.au \
--cc=ilyal@mellanox.com \
--cc=john.fastabend@gmail.com \
--cc=linux-crypto@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=steffen.klassert@secunet.com \
--cc=tom@quantonium.net \
--cc=vakul.garg@nxp.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).