From: Hannes Reinecke <hare@suse.de>
To: Chuck Lever <cel@kernel.org>,
kuba@kernel.org, pabeni@redhat.com, edumazet@google.com
Cc: netdev@vger.kernel.org, kernel-tls-handshake@lists.linux.dev,
john.haxby@oracle.com
Subject: Re: [PATCH v7 1/2] net/handshake: Create a NETLINK service for handling handshake requests
Date: Mon, 20 Mar 2023 07:49:02 +0100 [thread overview]
Message-ID: <535a9fb0-6e87-fce6-4e6a-32250485ccbc@suse.de> (raw)
In-Reply-To: <167915629953.91792.17220269709156129944.stgit@manet.1015granger.net>
On 3/18/23 17:18, Chuck Lever wrote:
> From: Chuck Lever <chuck.lever@oracle.com>
>
> When a kernel consumer needs a transport layer security session, it
> first needs a handshake to negotiate and establish a session. This
> negotiation can be done in user space via one of the several
> existing library implementations, or it can be done in the kernel.
>
> No in-kernel handshake implementations yet exist. In their absence,
> we add a netlink service that can:
>
> a. Notify a user space daemon that a handshake is needed.
>
> b. Once notified, the daemon calls the kernel back via this
> netlink service to get the handshake parameters, including an
> open socket on which to establish the session.
>
> c. Once the handshake is complete, the daemon reports the
> session status and other information via a second netlink
> operation. This operation marks that it is safe for the
> kernel to use the open socket and the security session
> established there.
>
> The notification service uses a multicast group. Each handshake
> mechanism (eg, tlshd) adopts its own group number so that the
> handshake services are completely independent of one another. The
> kernel can then tell via netlink_has_listeners() whether a handshake
> service is active and prepared to handle a handshake request.
>
> A new netlink operation, ACCEPT, acts like accept(2) in that it
> instantiates a file descriptor in the user space daemon's fd table.
> If this operation is successful, the reply carries the fd number,
> which can be treated as an open and ready file descriptor.
>
> While user space is performing the handshake, the kernel keeps its
> muddy paws off the open socket. A second new netlink operation,
> DONE, indicates that the user space daemon is finished with the
> socket and it is safe for the kernel to use again. The operation
> also indicates whether a session was established successfully.
>
> Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
> ---
> Documentation/netlink/specs/handshake.yaml | 122 +++++++++++
> MAINTAINERS | 8 +
> include/trace/events/handshake.h | 159 ++++++++++++++
> include/uapi/linux/handshake.h | 70 ++++++
> net/Kconfig | 5
> net/Makefile | 1
> net/handshake/Makefile | 11 +
> net/handshake/genl.c | 57 +++++
> net/handshake/genl.h | 23 ++
> net/handshake/handshake.h | 82 +++++++
> net/handshake/netlink.c | 316 ++++++++++++++++++++++++++++
> net/handshake/request.c | 307 +++++++++++++++++++++++++++
> net/handshake/trace.c | 20 ++
> 13 files changed, 1181 insertions(+)
> create mode 100644 Documentation/netlink/specs/handshake.yaml
> create mode 100644 include/trace/events/handshake.h
> create mode 100644 include/uapi/linux/handshake.h
> create mode 100644 net/handshake/Makefile
> create mode 100644 net/handshake/genl.c
> create mode 100644 net/handshake/genl.h
> create mode 100644 net/handshake/handshake.h
> create mode 100644 net/handshake/netlink.c
> create mode 100644 net/handshake/request.c
> create mode 100644 net/handshake/trace.c
>
Reviewed-by: Hannes Reinecke <hare@suse.de>
Cheers,
Hannes
--
Dr. Hannes Reinecke Kernel Storage Architect
hare@suse.de +49 911 74053 688
SUSE Software Solutions GmbH, Maxfeldstr. 5, 90409 Nürnberg
HRB 36809 (AG Nürnberg), Geschäftsführer: Ivo Totev, Andrew
Myers, Andrew McDonald, Martje Boudien Moerman
next prev parent reply other threads:[~2023-03-20 6:49 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-03-18 16:18 [PATCH v7 0/2] Another crack at a handshake upcall mechanism Chuck Lever
2023-03-18 16:18 ` [PATCH v7 1/2] net/handshake: Create a NETLINK service for handling handshake requests Chuck Lever
2023-03-20 6:49 ` Hannes Reinecke [this message]
2023-03-21 11:27 ` Paolo Abeni
2023-03-21 13:58 ` Chuck Lever III
2023-03-22 9:03 ` Paolo Abeni
2023-03-22 13:35 ` Chuck Lever III
2023-03-22 16:32 ` Chuck Lever III
2023-03-21 19:55 ` Fwd: " Chuck Lever III
2023-03-22 9:06 ` Paolo Abeni
2023-03-28 18:14 ` Jeff Layton
2023-03-28 18:19 ` Chuck Lever III
2023-03-28 18:32 ` Jeff Layton
2023-03-18 16:18 ` [PATCH v7 2/2] net/tls: Add kernel APIs for requesting a TLSv1.3 handshake Chuck Lever
2023-03-20 6:53 ` Hannes Reinecke
2023-03-18 16:26 ` [PATCH v7 0/2] Another crack at a handshake upcall mechanism Chuck Lever III
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=535a9fb0-6e87-fce6-4e6a-32250485ccbc@suse.de \
--to=hare@suse.de \
--cc=cel@kernel.org \
--cc=edumazet@google.com \
--cc=john.haxby@oracle.com \
--cc=kernel-tls-handshake@lists.linux.dev \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).