From: Hannes Reinecke <hare@suse.de>
To: Jakub Kicinski <kuba@kernel.org>, Chuck Lever <chuck.lever@oracle.com>
Cc: netdev@vger.kernel.org, linux-nfs@vger.kernel.org,
linux-nvme@lists.infradead.org, linux-cifs@vger.kernel.org,
linux-fsdevel@vger.kernel.org, ak@tempesta-tech.com,
borisp@nvidia.com, simo@redhat.com
Subject: Re: [PATCH RFC 4/5] net/tls: Add support for PF_TLSH (a TLS handshake listener)
Date: Tue, 26 Apr 2022 11:43:37 +0200 [thread overview]
Message-ID: <66077b73-c1a4-d2ae-c8e4-3e19e9053171@suse.de> (raw)
In-Reply-To: <20220425101459.15484d17@kernel.org>
On 4/25/22 19:14, Jakub Kicinski wrote:
> On Mon, 18 Apr 2022 12:49:50 -0400 Chuck Lever wrote:
>> In-kernel TLS consumers need a way to perform a TLS handshake. In
>> the absence of a handshake implementation in the kernel itself, a
>> mechanism to perform the handshake in user space, using an existing
>> TLS handshake library, is necessary.
>>
>> I've designed a way to pass a connected kernel socket endpoint to
>> user space using the traditional listen/accept mechanism. accept(2)
>> gives us a well-understood way to materialize a socket endpoint as a
>> normal file descriptor in a specific user space process. Like any
>> open socket descriptor, the accepted FD can then be passed to a
>> library such as openSSL to perform a TLS handshake.
>>
>> This prototype currently handles only initiating client-side TLS
>> handshakes. Server-side handshakes and key renegotiation are left
>> to do.
>>
>> Security Considerations
>> ~~~~~~~~ ~~~~~~~~~~~~~~
>>
>> This prototype is net-namespace aware.
>>
>> The kernel has no mechanism to attest that the listening user space
>> agent is trustworthy.
>>
>> Currently the prototype does not handle multiple listeners that
>> overlap -- multiple listeners in the same net namespace that have
>> overlapping bind addresses.
>
> Create the socket in user space, do all the handshakes you need there
> and then pass it to the kernel. This is how NBD + TLS works. Scales
> better and requires much less kernel code.
>
But we can't, as the existing mechanisms (at least for NVMe) creates the
socket in-kernel.
Having to create the socket in userspace would require a completely new
interface for nvme and will not be backwards compatible.
Not to mention having to rework the nvme driver to accept sockets from
userspace instead of creating them internally.
With this approach we can keep existing infrastructure, and can get a
common implementation for either transport.
Cheers,
Hannes
--
Dr. Hannes Reinecke Kernel Storage Architect
hare@suse.de +49 911 74053 688
SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 Nürnberg
HRB 36809 (AG Nürnberg), GF: Felix Imendörffer
next prev parent reply other threads:[~2022-04-26 10:17 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-18 16:49 [PATCH RFC 0/5] Implement a TLS handshake upcall Chuck Lever
2022-04-18 16:49 ` [PATCH RFC 1/5] net: Add distinct sk_psock field Chuck Lever
2022-04-21 7:35 ` Hannes Reinecke
2022-07-13 4:46 ` Hawkins Jiawei
2022-04-18 16:49 ` [PATCH RFC 2/5] tls: build proto after context has been initialized Chuck Lever
2022-04-25 17:11 ` Jakub Kicinski
2022-04-25 17:51 ` Chuck Lever III
2022-05-20 16:39 ` Chuck Lever III
2022-04-18 16:49 ` [PATCH RFC 3/5] net/tls: Add an AF_TLSH address family Chuck Lever
2022-04-21 7:35 ` Hannes Reinecke
2022-04-18 16:49 ` [PATCH RFC 4/5] net/tls: Add support for PF_TLSH (a TLS handshake listener) Chuck Lever
2022-04-21 7:36 ` Hannes Reinecke
2022-04-25 17:14 ` Jakub Kicinski
2022-04-26 9:43 ` Hannes Reinecke [this message]
2022-04-26 14:29 ` Sagi Grimberg
2022-04-26 15:02 ` Jakub Kicinski
2022-04-26 15:58 ` Hannes Reinecke
2022-04-27 0:03 ` Jakub Kicinski
2022-04-27 15:24 ` Chuck Lever III
2022-04-28 7:26 ` Hannes Reinecke
2022-04-28 13:30 ` Jakub Kicinski
2022-04-28 13:51 ` Hannes Reinecke
2022-04-28 14:09 ` Benjamin Coddington
2022-04-28 21:08 ` Jakub Kicinski
2022-05-24 10:05 ` [ovs-dev] " Ilya Maximets
2022-04-26 14:55 ` Jakub Kicinski
2022-04-26 13:48 ` Chuck Lever III
2022-04-26 14:55 ` Jakub Kicinski
2022-04-26 15:58 ` Chuck Lever III
2022-04-26 23:47 ` Jakub Kicinski
2022-04-27 14:42 ` Chuck Lever III
2022-04-27 23:53 ` Jakub Kicinski
2022-04-28 1:29 ` Chuck Lever III
2022-04-28 21:08 ` Jakub Kicinski
2022-04-28 21:54 ` Chuck Lever III
2022-04-28 8:49 ` Boris Pismenny
2022-04-28 13:12 ` Simo Sorce
2022-04-29 15:19 ` Chuck Lever III
2022-04-28 15:24 ` Chuck Lever III
2022-04-29 6:25 ` Hannes Reinecke
2022-04-18 16:49 ` [PATCH RFC 5/5] net/tls: Add observability for AF_TLSH sockets Chuck Lever
2022-04-21 7:36 ` Hannes Reinecke
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=66077b73-c1a4-d2ae-c8e4-3e19e9053171@suse.de \
--to=hare@suse.de \
--cc=ak@tempesta-tech.com \
--cc=borisp@nvidia.com \
--cc=chuck.lever@oracle.com \
--cc=kuba@kernel.org \
--cc=linux-cifs@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-nfs@vger.kernel.org \
--cc=linux-nvme@lists.infradead.org \
--cc=netdev@vger.kernel.org \
--cc=simo@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).