Date: Tue, 11 Apr 2023 14:30:51 -0700 From: John Baldwin <jhb@FreeBSD.org> To: stable@FreeBSD.org Cc: Graham Perrin <grahamperrin@gmail.com> Subject: Clarifications to kernel TLS offload support in 13.x Message-ID: <d94d5f69-8830-85ad-be9e-903b7e64c188@FreeBSD.org>
next in thread | raw e-mail | index | archive | help
Kernel TLS offload support for each direction (transmit and receive) operates in three different modes: software, ifnet, and TOE. Software KTLS uses software ciphers (or crypto offload engines on co-processors like qat(4)) to encrypt/decrypt TLS records at the socket buffer layer. ifnet TLS depends on encrpytion/decryption of TLS records being performed by the NIC as TLS records are either sent or received (mlx5 and cxgbe T6 do transmit ifnet TLS, mlx5 does receive ifnet TLS). TOE TLS is similar to ifnet TLS but it relies on a smart NIC that has a TCP offload engine that performs the encryption/decryption in the NIC (cxgbe T6 can do this) 13.0 included kernel TLS offload transmit support for all three modes and covering most commonly-used ciphers (TLS 1.0-1.3 using AES-CBC (MtE) and AES-GCM). It also included support for TLS offload receive support for AES-GCM with TLS 1.2 using either the software or TOE modes. 13.1 added support for the Chacha20-Poly1305 cipher suite, both for TLS 1.2 (send and receive) and TLS 1.3 (send-only) using the software mode. 13.2 added support for TLS 1.3 receive (AES-GCM and Chacha20), but only via the software mode. 14.0 adds support for ifnet mode TLS receive (currently supported on mlx5 adapters) for AES-GCM using versions 1.2 and 1.3. It also includes easier to use TOE support. KTLS is enabled/disabled on a global basis via the kern.ipc.tls.enable sysctl. In addition, ifnet TLS can be enabled/disabled on individual NICs via ifconfig using the "txtls" (for transmit) or "rxtls" (for receive) flags. Software and TOE TLS do not depend on ifconfig flags however. Software TLS is only controlled via the global sysctl. TOE TLS is controlled via driver-specific sysctls. -- John Baldwin
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?d94d5f69-8830-85ad-be9e-903b7e64c188>