From: Chuck Lever <cel@kernel.org>
To: kuba@kernel.org, pabeni@redhat.com, edumazet@google.com
Cc: netdev@vger.kernel.org, kernel-tls-handshake@lists.linux.dev
Subject: [PATCH v9 0/3] Another crack at a handshake upcall mechanism
Date: Thu, 13 Apr 2023 15:13:48 -0400 [thread overview]
Message-ID: <168141287044.157208.15120359741792569671.stgit@manet.1015granger.net> (raw)
Hi-
Here is v9 of a series to add generic support for transport layer
security handshake on behalf of kernel socket consumers (user space
consumers use a security library directly, of course). A summary of
the purpose of these patches is archived here:
https://lore.kernel.org/netdev/1DE06BB1-6BA9-4DB4-B2AA-07DE532963D6@oracle.com/
I'd like you to consider this series for v6.4.
The full patch set to support SunRPC with TLSv1.3 is available in
the topic-rpc-with-tls-upcall branch here, based on net-next/main:
https://git.kernel.org/pub/scm/linux/kernel/git/cel/linux.git
This patch set includes support for in-transit confidentiality and
peer authentication for both the Linux NFS client and server.
A user space handshake agent for TLSv1.3 to go along with the kernel
patches is available in the "main" branch here:
https://github.com/oracle/ktls-utils
---
Changes since v8:
- Addressed Jakub's v8 review comments
- Fixed build problems with the new unit tests
- Addressed crashes in some corner case
Major changes since v7:
- Addressed Paolo's v7 review comments
- Added initial set of Kunit tests for the handshake API
- Included an NFS server patch to add new TLS_RECORD_TYPE values
Major changes since v6:
- YAML spec and generated artifacts are now under dual license
- Addressed Jakub's v6 review comments
- Implemented a memory-sensitive limit on the number of pending
handshake requests
- Implemented upcall support for multiple peer identities
Major changes since v5:
- Added a "timeout" attribute to the handshake netlink protocol
- Removed the GnuTLS-specific "priorities" attribute
- Added support for keyrings to restrict access to keys
- Simplified the kernel consumer TLS handshake API
- The handshake netlink protocol can handle multiple peer IDs or
certificates in the ACCEPT and DONE operations, though the
implementation does not yet support it.
Major changes since v4:
- Rebased onto net-next/main
- Replaced req reference counting with ->sk_destruct
- CMD_ACCEPT now does the equivalent of a dup(2) rather than an
accept(2)
- CMD_DONE no longer closes the user space socket endpoint
- handshake_req_cancel is now tested and working
- Added a YAML specification for the netlink upcall protocol, and
simplified the protocol to fit the YAML schema
- Added an initial set of tracepoints
Changes since v3:
- Converted all netlink code to use Generic Netlink
- Reworked handshake request lifetime logic throughout
- Global pending list is now per-net
- On completion, return the remote's identity to the consumer
Changes since v2:
- PF_HANDSHAKE replaced with NETLINK_HANDSHAKE
- Replaced listen(2) / poll(2) with a multicast notification service
- Replaced accept(2) with a netlink operation that can return an
open fd and handshake parameters
- Replaced close(2) with a netlink operation that can take arguments
Changes since RFC:
- Generic upcall support split away from kTLS
- Added support for TLS ServerHello
- Documentation has been temporarily removed while API churns
---
Chuck Lever (3):
net/handshake: Create a NETLINK service for handling handshake requests
net/handshake: Add a kernel API for requesting a TLSv1.3 handshake
net/handshake: Add Kunit tests for the handshake consumer API
Documentation/netlink/specs/handshake.yaml | 124 +++++
Documentation/networking/index.rst | 1 +
Documentation/networking/tls-handshake.rst | 217 +++++++++
MAINTAINERS | 11 +
include/net/handshake.h | 43 ++
include/trace/events/handshake.h | 159 +++++++
include/uapi/linux/handshake.h | 73 +++
net/Kconfig | 20 +
net/Makefile | 1 +
net/handshake/.kunitconfig | 11 +
net/handshake/Makefile | 13 +
net/handshake/genl.c | 58 +++
net/handshake/genl.h | 24 +
net/handshake/handshake-test.c | 523 +++++++++++++++++++++
net/handshake/handshake.h | 81 ++++
net/handshake/netlink.c | 332 +++++++++++++
net/handshake/request.c | 345 ++++++++++++++
net/handshake/tlshd.c | 417 ++++++++++++++++
net/handshake/trace.c | 20 +
19 files changed, 2473 insertions(+)
create mode 100644 Documentation/netlink/specs/handshake.yaml
create mode 100644 Documentation/networking/tls-handshake.rst
create mode 100644 include/net/handshake.h
create mode 100644 include/trace/events/handshake.h
create mode 100644 include/uapi/linux/handshake.h
create mode 100644 net/handshake/.kunitconfig
create mode 100644 net/handshake/Makefile
create mode 100644 net/handshake/genl.c
create mode 100644 net/handshake/genl.h
create mode 100644 net/handshake/handshake-test.c
create mode 100644 net/handshake/handshake.h
create mode 100644 net/handshake/netlink.c
create mode 100644 net/handshake/request.c
create mode 100644 net/handshake/tlshd.c
create mode 100644 net/handshake/trace.c
--
Chuck Lever
next reply other threads:[~2023-04-13 19:14 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-04-13 19:13 Chuck Lever [this message]
2023-04-13 19:13 ` [PATCH v9 1/3] net/handshake: Create a NETLINK service for handling handshake requests Chuck Lever
2023-04-13 19:14 ` [PATCH v9 2/3] net/handshake: Add a kernel API for requesting a TLSv1.3 handshake Chuck Lever
2023-04-13 19:14 ` [PATCH v9 3/3] net/handshake: Add Kunit tests for the handshake consumer API Chuck Lever
2023-04-15 1:31 ` Jakub Kicinski
2023-04-15 2:06 ` Chuck Lever
2023-04-15 2:15 ` Jakub Kicinski
2023-04-15 3:39 ` Chuck Lever
2023-04-15 17:57 ` Chuck Lever III
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=168141287044.157208.15120359741792569671.stgit@manet.1015granger.net \
--to=cel@kernel.org \
--cc=edumazet@google.com \
--cc=kernel-tls-handshake@lists.linux.dev \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).