Date: Fri, 8 Jan 2021 13:44:47 -0800 From: John-Mark Gurney <jmg@funkthat.com> To: Andrew Gallatin <gallatin@cs.duke.edu> Cc: freebsd-arch@FreeBSD.org, Rick Macklem <rmacklem@uoguelph.ca>, Allan Jude <allanjude@freebsd.org> Subject: Re: Should we enable KERN_TLS on amd64 for FreeBSD 13? Message-ID: <20210108214446.GJ31099@funkthat.com> In-Reply-To: <8eff83e5-49bc-d410-626e-603c03877b80@cs.duke.edu> References: <8eff83e5-49bc-d410-626e-603c03877b80@cs.duke.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
Andrew Gallatin wrote this message on Fri, Jan 08, 2021 at 12:26 -0500:
> Kernel TLS (KTLS) support was added roughly a year ago, and provides
> an efficient software or hardware accelerated path to have the kernel
> (or the NIC) handle TLS crypto. This is quite useful for web and
> NFS servers, and provides a huge (2x -> 5x) efficiency gain by
> avoiding data copies into userspace for crypto, and potentially
> offloading the crypto to hardware.
>
>
> KTLS is well tested on amd64, having been used in production at Netflix
> for nearly 4 years. The vast majority of Netflix video has been served
> via KTLS for the last few years. Its what has allowed us to serve
> 100Gb/s on Xeon 2697A cpus for years, and what allows us to serve
> nearly 400Gb/s on AMD servers with NICs which support crypto offload.
>
> I have received a few requests to enable it by default in GENERIC, and
> I'd like to get some opinions.
>
> There are essentially 3 options
>
> 1) Fully enable KTLS by adding 'options KERN_TLS' to GENERIC, and
> flipping kern.ipc.tls.enable=1
>
> The advantage of this is that it "just works" out of the box for users,
> and for reviewers.
>
> The drawback is that new code is thrust on unsuspecting users,
> potentially exposing them to bugs that we have not found in our
> somewhat limited web serving workload.
This is my vote.
I assume that the in tree and ports tree OpenSSL libraries will make
use of it when present? Does this mean fetch and the like will also
use it when talking w/ https website? (that's a nice benefit).
IMO, this is the best option for at least 13-current (we can revisit
this before 13.0-R happens), and preferably for 13.0-R. W/ both a
kernel option and a sysctl to disable, we have a way to address issues,
and getting code being used and tested is the best way to make it
stable, and shaking out any remaining bugs.
--
John-Mark Gurney Voice: +1 415 225 5579
"All that I will do, has been done, All that I have, has not."
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20210108214446.GJ31099>