ktls_test: Permit an option to skip tests not using ifnet TLS.
ClosedPublic
Actions

Authored by jhb on Jun 7 2022, 9:20 PM.

Details

Reviewers

np
markj

Commits

rG50959e884063: ktls_test: Permit an option to skip tests not using ifnet TLS.
rGea4ebdcb4da9: ktls_test: Permit an option to skip tests not using ifnet TLS.

Summary

If ktls.require_ifnet is set to true, then check the TLS offload mode
for tests sending and receiving records and skip the test if the
offload mode is not ifnet mode.

This can be used along with ktls.host to run KTLS tests against a NIC
supporting ifnet TLS and verify that expected cipher suites and
directions used ifnet TLS rather than software TLS. Receive tests may
result in a false positive as receive ifnet TLS can use software as a
fallback.

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

jhb created this revision.Jun 7 2022, 9:20 PM

Herald added a subscriber: imp. · View Herald TranscriptJun 7 2022, 9:20 PM

jhb requested review of this revision.Jun 7 2022, 9:20 PM

jhb added a parent revision: D35426: ktls_test: Permit connecting to a remote echo server for tests..

Harbormaster completed remote builds in B45901: Diff 106744.Jun 7 2022, 9:20 PM

I've used this by enabling the echo service in inetd (and running inetd with -C 0 -R 0) on a remote host named 'host1' and then running:

kyua -v test_suites.FreeBSD.ktls.host=host1 -v test_suites.FreeBSD.ktls.require_ifnet=true test -k /usr/tests/sys/kern/Kyuafile ktls_test

Cipher suites supported by the NIC pass, and ones not supported are skipped, e.g.:

ktls_test:ktls_transmit_aes128_cbc_1_0_sha1_control  ->  skipped: connection did not use ifnet TLS  [0.004s]
ktls_test:ktls_transmit_aes128_cbc_1_0_sha1_empty_fragment  ->  skipped: connection did not use ifnet TLS  [0.005s]
ktls_test:ktls_transmit_aes128_cbc_1_0_sha1_long  ->  skipped: connection did not use ifnet TLS  [0.005s]
...
ktls_test:ktls_transmit_aes128_cbc_1_1_sha1_control  ->  passed  [0.005s]
ktls_test:ktls_transmit_aes128_cbc_1_1_sha1_empty_fragment  ->  passed  [0.004s]
ktls_test:ktls_transmit_aes128_cbc_1_1_sha1_long  ->  passed  [0.005s]
...
ktls_test:ktls_transmit_aes128_gcm_1_2_control  ->  passed  [0.005s]
ktls_test:ktls_transmit_aes128_gcm_1_2_empty_fragment  ->  passed  [0.004s]
ktls_test:ktls_transmit_aes128_gcm_1_2_long  ->  passed  [0.005s]
ktls_test:ktls_transmit_aes128_gcm_1_2_short  ->  passed  [0.005s]
ktls_test:ktls_transmit_aes128_gcm_1_3_control  ->  skipped: connection did not use ifnet TLS  [0.004s]
ktls_test:ktls_transmit_aes128_gcm_1_3_empty_fragment  ->  skipped: connection did not use ifnet TLS  [0.004s]
ktls_test:ktls_transmit_aes128_gcm_1_3_long  ->  skipped: connection did not use ifnet TLS  [0.005s]
ktls_test:ktls_transmit_aes128_gcm_1_3_short  ->  skipped: connection did not use ifnet TLS  [0.004s]

Note that since T6 doesn't support RX offload, I've only been able to test the TX side, but receive should in theory work the same with the caveat that since the receive tests are so short they may end up using software decrypt for all of the traffic.

jhb added a reviewer: markj.Jun 13 2022, 6:02 PM

markj accepted this revision.Jun 13 2022, 6:26 PM

This revision is now accepted and ready to land.Jun 13 2022, 6:26 PM

Closed by commit rGea4ebdcb4da9: ktls_test: Permit an option to skip tests not using ifnet TLS. (authored by jhb). · Explain WhyJun 14 2022, 5:36 PM

This revision was automatically updated to reflect the committed changes.

jhb added a commit: rGea4ebdcb4da9: ktls_test: Permit an option to skip tests not using ifnet TLS..

jhb added a commit: rG50959e884063: ktls_test: Permit an option to skip tests not using ifnet TLS..Jul 13 2022, 4:48 PM