Page MenuHomeFreeBSD

Add a manpage for kernel TLS.
ClosedPublic

Authored by jhb on Nov 18 2020, 11:55 PM.
Tags
None
Referenced Files
Unknown Object (File)
Thu, Dec 5, 2:12 AM
Unknown Object (File)
Fri, Nov 29, 1:59 AM
Unknown Object (File)
Nov 22 2024, 11:32 AM
Unknown Object (File)
Nov 16 2024, 9:32 AM
Unknown Object (File)
Nov 9 2024, 7:01 AM
Unknown Object (File)
Oct 29 2024, 9:03 AM
Unknown Object (File)
Oct 20 2024, 10:22 AM
Unknown Object (File)
Oct 19 2024, 3:56 PM

Details

Summary

This subsumes some of the content from tcp(4) describing the socket
options but also adds additional notes.

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

jhb requested review of this revision.Nov 18 2020, 11:55 PM
jhb created this revision.
This revision is now accepted and ready to land.Nov 19 2020, 8:41 AM

@jhb did you run the obligatory igor and mandoc -Tlint checks?

@gbe Hmm, igor was happy, but mandoc found a couple of nits. tcp.4 has many other existing mandoc complaints but I will let those be.

  • Fix a few nits reported by mandoc.
This revision now requires review to proceed.Nov 19 2020, 7:07 PM
This revision is now accepted and ready to land.Nov 24 2020, 10:51 AM
This revision was automatically updated to reflect the committed changes.

Thanks for doing this John. A couple of typo comments are inline.
Have you thought about how to configure this at boot time?
(I emailed you a little rc.d script. The nfs-over-tls daemons start
via rc.d scripts and need it configured.

What do you think?
(I can put it on phabricator if you'd prefer that?)

head/share/man/man4/ktls.4
81

spelling of "performed"

87

"is" doesn't seem to be needed and makes it difficult to read?

I am now thinking that the ktls script is not needed
and is just one more thing to maintain.
/boot/loader.conf for loading modules and /etc/sysctl.conf
for syscyls seems sufficient to me.

I'll leave it up to you.

I am now thinking that the ktls script is not needed
and is just one more thing to maintain.
/boot/loader.conf for loading modules and /etc/sysctl.conf
for syscyls seems sufficient to me.

I'll leave it up to you.

I think we can just let people set settings in sysctl.conf. However, it might also make sense to flip the default settings in a KERN_TLS kernel to enable unmapped mbufs and ktls by default. Since KERN_TLS is not in GENERIC, it's already an opt-in thing.

It's up to you, however I tend to think of sysctls as orthogonal
to kernel options and, as such, having the default change
based on KERN_TLS seems a little weird to me.

I can see a case where a sysadmin has a large # of systems,
a few of which use ktls, but they use the same custom kernel
for all of the systems. They might not prefer this change in defaults.

Although I don't think you'd want to do so now, is there a
reason that KERN_TLS cannot be in GENERIC in the future?

It's up to you, however I tend to think of sysctls as orthogonal
to kernel options and, as such, having the default change
based on KERN_TLS seems a little weird to me.

I can see a case where a sysadmin has a large # of systems,
a few of which use ktls, but they use the same custom kernel
for all of the systems. They might not prefer this change in defaults.

Although I don't think you'd want to do so now, is there a
reason that KERN_TLS cannot be in GENERIC in the future?

The reason it is off today is probably more due to excessive paranoia
and it being a new feature. Most other optional features default to
on when enabled (e.g. 'options IPSEC' or 'options NFSCL').

It probably should flip to default to on once it is considered
non-experimental (and I think we are probably at that point).

In regards to adding it to GENERIC, I'm not quite sure about that one.

Righto. I was thinking that, someday (maybe within the
FreeBSD13 release lifetime) that NFS over TLS might
become widely useful and not needing to build a
custom kernel would be nice then.

I was thinking there might have been a reason,
such a export issues w.r.t encryption, that would
make the answer "never" to putting it in GENERIC.

Btw, all the kernel bits for NFS over TLS are now in
head/FreeBSD13 and I have created a port for the
daemons that depends on the security/openssl-devel
port. (I have asked the openssl-devel port maintainer
if KTLS can be enabled by default on it.)

Obviously, I'm just trying to make NFS over TLS easier to set up
on FreeBSD13.

Thanks for the comments, rick