Page MenuHomeFreeBSD

Initial support for kernel offload of TLS receive.
AbandonedPublic

Authored by jhb on Apr 16 2020, 9:24 PM.
Tags
None
Referenced Files
F107701635: D24452.id70661.diff
Fri, Jan 17, 4:20 PM
F107661635: D24452.diff
Fri, Jan 17, 8:27 AM
Unknown Object (File)
Sat, Dec 21, 8:55 AM
Unknown Object (File)
Sat, Dec 21, 8:52 AM
Unknown Object (File)
Oct 4 2024, 5:17 AM
Unknown Object (File)
Sep 30 2024, 11:21 AM
Unknown Object (File)
Sep 7 2024, 7:09 AM
Unknown Object (File)
Sep 4 2024, 12:18 PM
Subscribers

Details

Summary
  • Add a new TCP_RXTLS_ENABLE socket option to set the encryption and authentication algorithms and keys as well as the initial sequence number.
  • When reading from a socket using KTLS receive, applications must use recvmsg(). Each successful call to recvmsg() will return a single TLS record. A new TCP control message, TLS_GET_RECORD, will contain the TLS record header of the decrypted record. The regular message buffer passed to recvmsg() will receive the decrypted payload. This is similar to the interface used by Linux's KTLS RX except that Linux does not return the full TLS header in the control message.
  • Add plumbing to the TOE KTLS interface to request either transmit or receive KTLS sessions.
  • When a socket is using receive KTLS, redirect reads from soreceive_stream() into soreceive_generic().
  • Note that this interface is currently only defined for TLS 1.1 and 1.2, though I believe we will be able to reuse the same interface and structures for 1.3.
Test Plan
  • tested with TOE on T6, and the interface has also been tested with a KTLS RX software solution

Diff Detail

Lint
Lint Skipped
Unit
Tests Skipped
Build Status
Buildable 30544
Build 28290: arc lint + arc unit