From: Jakub Kicinski <kuba@kernel.org>
To: Sabrina Dubroca <sd@queasysnail.net>
Cc: netdev@vger.kernel.org, Vadim Fedorenko <vfedorenko@novek.ru>,
Frantisek Krenzelok <fkrenzel@redhat.com>,
Kuniyuki Iwashima <kuniyu@amazon.com>,
Apoorv Kothari <apoorvko@amazon.com>,
Boris Pismenny <borisp@nvidia.com>,
John Fastabend <john.fastabend@gmail.com>,
Shuah Khan <shuah@kernel.org>,
linux-kselftest@vger.kernel.org, Gal Pressman <gal@nvidia.com>,
Marcel Holtmann <marcel@holtmann.org>
Subject: Re: [PATCH net-next v2 0/5] tls: implement key updates for TLS1.3
Date: Mon, 13 Mar 2023 11:35:10 -0700 [thread overview]
Message-ID: <20230313113510.02c107b3@kernel.org> (raw)
In-Reply-To: <ZA9EMJgoNsxfOhwV@hog>
On Mon, 13 Mar 2023 16:41:36 +0100 Sabrina Dubroca wrote:
> > > Yes, I was looking into that earlier this week. I think we could reuse
> > > a similar mechanism for rekeying. tls_dev_add takes tcp_sk->write_seq,
> > > we could have a tls_dev_rekey op passing the new key and new write_seq
> > > to the driver. I think we can also reuse the ->eor trick from
> > > tls_set_device_offload, and we wouldn't have to look at
> > > skb->decrypted. Close and push the current SW record, mark ->eor, pass
> > > write_seq to the driver along with the key. Also pretty close to what
> > > tls_device_resync_tx does.
> >
> > That sounds like you'd expose the rekeying logic to the drivers?
> > New op, having to track seq#...
>
> Well, we have to call into the drivers to install the key, whether
> that's a new rekey op, or adding an update argument to ->tls_dev_add,
> or letting the driver guess that it's a rekey (or ignore that and just
> install the key if rekey vs initial key isn't a meaningful
> distinction).
>
> We already feed drivers the seq# with ->tls_dev_add, so passing it for
> rekeys as well is not a big change.
>
> Does that seem problematic? Adding a rekey op seemed more natural to
> me than simply using the existing _del + _add ops, but maybe we can
> get away with just using those two ops.
Theoretically a rekey op is nicer and cleaner. Practically the quality
of the driver implementations will vary wildly*, and it's a significant
time investment to review all of them. So for non-technical reasons my
intuition is that we'd deliver a better overall user experience if we
handled the rekey entirely in the core.
Wait for old key to no longer be needed, _del + _add, start using the
offload again.
* One vendor submitted a driver claiming support for TLS 1.3, when
TLS 1.3 offload was rejected by the core. So this is the level of
testing and diligence we're working with :(
next prev parent reply other threads:[~2023-03-13 18:37 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-02-14 11:17 [PATCH net-next v2 0/5] tls: implement key updates for TLS1.3 Sabrina Dubroca
2023-02-14 11:17 ` [PATCH net-next v2 1/5] tls: remove tls_context argument from tls_set_sw_offload Sabrina Dubroca
2023-02-14 11:17 ` [PATCH net-next v2 2/5] tls: block decryption when a rekey is pending Sabrina Dubroca
2023-02-15 5:09 ` Jakub Kicinski
2023-02-15 17:37 ` Sabrina Dubroca
2023-02-14 11:17 ` [PATCH net-next v2 3/5] tls: implement rekey for TLS1.3 Sabrina Dubroca
2023-02-14 11:17 ` [PATCH net-next v2 4/5] selftests: tls: add key_generation argument to tls_crypto_info_init Sabrina Dubroca
2023-02-14 11:17 ` [PATCH net-next v2 5/5] selftests: tls: add rekey tests Sabrina Dubroca
2023-02-15 5:08 ` [PATCH net-next v2 0/5] tls: implement key updates for TLS1.3 Jakub Kicinski
2023-02-15 17:29 ` Sabrina Dubroca
2023-02-15 19:10 ` Jakub Kicinski
2023-02-15 23:23 ` Sabrina Dubroca
2023-02-16 3:57 ` Jakub Kicinski
2023-02-16 16:23 ` Sabrina Dubroca
2023-02-22 3:19 ` Jakub Kicinski
2023-02-23 16:27 ` Sabrina Dubroca
2023-02-23 17:29 ` Jakub Kicinski
2023-03-13 15:41 ` Sabrina Dubroca
2023-03-13 18:35 ` Jakub Kicinski [this message]
2023-03-22 16:10 ` Sabrina Dubroca
2023-03-22 19:43 ` Jakub Kicinski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230313113510.02c107b3@kernel.org \
--to=kuba@kernel.org \
--cc=apoorvko@amazon.com \
--cc=borisp@nvidia.com \
--cc=fkrenzel@redhat.com \
--cc=gal@nvidia.com \
--cc=john.fastabend@gmail.com \
--cc=kuniyu@amazon.com \
--cc=linux-kselftest@vger.kernel.org \
--cc=marcel@holtmann.org \
--cc=netdev@vger.kernel.org \
--cc=sd@queasysnail.net \
--cc=shuah@kernel.org \
--cc=vfedorenko@novek.ru \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).