Re: [PATCH v7 0/2] Another crack at a handshake upcall mechanism

From: Chuck Lever III <chuck.lever@oracle.com>
To: Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
	Eric Dumazet <edumazet@google.com>
Cc: "open list:NETWORKING [GENERAL]" <netdev@vger.kernel.org>,
	"kernel-tls-handshake@lists.linux.dev"
	<kernel-tls-handshake@lists.linux.dev>,
	John Haxby <john.haxby@oracle.com>
Subject: Re: [PATCH v7 0/2] Another crack at a handshake upcall mechanism
Date: Sat, 18 Mar 2023 16:26:45 +0000	[thread overview]
Message-ID: <70E1DAC8-AD24-426C-9A27-A0F6C0015BAF@oracle.com> (raw)
In-Reply-To: <167915594811.91792.15722842400657376706.stgit@manet.1015granger.net>


> On Mar 18, 2023, at 12:18 PM, Chuck Lever <cel@kernel.org> wrote:
> 
> Hi-
> 
> Here is v7 of a series to add generic support for transport layer
> security handshake on behalf of kernel socket consumers (user space
> consumers use a security library directly, of course). A summary of
> the purpose of these patches is archived here:
> 
> https://lore.kernel.org/netdev/1DE06BB1-6BA9-4DB4-B2AA-07DE532963D6@oracle.com/
> 
> v7 again has considerable churn, for two reasons:
> 
> - I incorporated more C code generated from the YAML spec, and
> - I moved net/tls/tls_handshake.c to net/handshake/
> 
> Other significant changes are listed below.
> 
> The full patch set to support SunRPC with TLSv1.3 is available in
> the topic-rpc-with-tls-upcall branch here, based on net-next/main:
> 
> https://git.kernel.org/pub/scm/linux/kernel/git/cel/linux.git
> 
> This patch set includes support for in-transit confidentiality and
> peer authentication for both the Linux NFS client and server.
> 
> A user space handshake agent for TLSv1.3 to go along with the kernel
> patches is available in the "netlink-v7" branch here:
> 
> https://github.com/oracle/ktls-utils
> 
> ---
> 
> Major changes since v6:
> - YAML spec and generated artifacts are now under dual license
> - Addressed Jakub's v6 review comments
> - Implemented a memory-sensitive limit on the number of pending
>  handshake requests
> - Implemented upcall support for multiple peer identities

Addenda:

- I volunteered as maintainer of net/handshake/
- Addressed "undefined references" with certain build configurations


> Major changes since v5:
> - Added a "timeout" attribute to the handshake netlink protocol
> - Removed the GnuTLS-specific "priorities" attribute
> - Added support for keyrings to restrict access to keys
> - Simplified the kernel consumer TLS handshake API
> - The handshake netlink protocol can handle multiple peer IDs or
>  certificates in the ACCEPT and DONE operations, though the
>  implementation does not yet support it.
> 
> Major changes since v4:
> - Rebased onto net-next/main
> - Replaced req reference counting with ->sk_destruct
> - CMD_ACCEPT now does the equivalent of a dup(2) rather than an
>  accept(2)
> - CMD_DONE no longer closes the user space socket endpoint
> - handshake_req_cancel is now tested and working
> - Added a YAML specification for the netlink upcall protocol, and
>  simplified the protocol to fit the YAML schema
> - Added an initial set of tracepoints
> 
> Changes since v3:
> - Converted all netlink code to use Generic Netlink
> - Reworked handshake request lifetime logic throughout
> - Global pending list is now per-net
> - On completion, return the remote's identity to the consumer
> 
> Changes since v2:
> - PF_HANDSHAKE replaced with NETLINK_HANDSHAKE
> - Replaced listen(2) / poll(2) with a multicast notification service
> - Replaced accept(2) with a netlink operation that can return an
>  open fd and handshake parameters
> - Replaced close(2) with a netlink operation that can take arguments
> 
> Changes since RFC:
> - Generic upcall support split away from kTLS
> - Added support for TLS ServerHello
> - Documentation has been temporarily removed while API churns
> 
> ---
> 
> Chuck Lever (2):
>      net/handshake: Create a NETLINK service for handling handshake requests
>      net/tls: Add kernel APIs for requesting a TLSv1.3 handshake
> 
> 
> Documentation/netlink/specs/handshake.yaml | 124 ++++++
> Documentation/networking/index.rst         |   1 +
> Documentation/networking/tls-handshake.rst | 217 +++++++++++
> MAINTAINERS                                |  10 +
> include/net/handshake.h                    |  43 +++
> include/trace/events/handshake.h           | 159 ++++++++
> include/uapi/linux/handshake.h             |  72 ++++
> net/Kconfig                                |   5 +
> net/Makefile                               |   1 +
> net/handshake/Makefile                     |  11 +
> net/handshake/genl.c                       |  58 +++
> net/handshake/genl.h                       |  24 ++
> net/handshake/handshake.h                  |  82 ++++
> net/handshake/netlink.c                    | 316 ++++++++++++++++
> net/handshake/request.c                    | 307 +++++++++++++++
> net/handshake/tlshd.c                      | 417 +++++++++++++++++++++
> net/handshake/trace.c                      |  20 +
> 17 files changed, 1867 insertions(+)
> create mode 100644 Documentation/netlink/specs/handshake.yaml
> create mode 100644 Documentation/networking/tls-handshake.rst
> create mode 100644 include/net/handshake.h
> create mode 100644 include/trace/events/handshake.h
> create mode 100644 include/uapi/linux/handshake.h
> create mode 100644 net/handshake/Makefile
> create mode 100644 net/handshake/genl.c
> create mode 100644 net/handshake/genl.h
> create mode 100644 net/handshake/handshake.h
> create mode 100644 net/handshake/netlink.c
> create mode 100644 net/handshake/request.c
> create mode 100644 net/handshake/tlshd.c
> create mode 100644 net/handshake/trace.c
> 
> --
> Chuck Lever
> 
> 

--
Chuck Lever