From owner-freebsd-arch@freebsd.org  Sat Jan  9 12:30:38 2021
Return-Path: <owner-freebsd-arch@freebsd.org>
Delivered-To: freebsd-arch@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 826714D31AB
 for <freebsd-arch@mailman.nyi.freebsd.org>;
 Sat,  9 Jan 2021 12:30:38 +0000 (UTC)
 (envelope-from freebsd-rwg@gndrsh.dnsmgr.net)
Received: from gndrsh.dnsmgr.net (br1.CN84in.dnsmgr.net [69.59.192.140])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 4DCfSt17j9z4tvq;
 Sat,  9 Jan 2021 12:30:37 +0000 (UTC)
 (envelope-from freebsd-rwg@gndrsh.dnsmgr.net)
Received: from gndrsh.dnsmgr.net (localhost [127.0.0.1])
 by gndrsh.dnsmgr.net (8.13.3/8.13.3) with ESMTP id 109CUWDu024556;
 Sat, 9 Jan 2021 04:30:32 -0800 (PST)
 (envelope-from freebsd-rwg@gndrsh.dnsmgr.net)
Received: (from freebsd-rwg@localhost)
 by gndrsh.dnsmgr.net (8.13.3/8.13.3/Submit) id 109CUW1E024555;
 Sat, 9 Jan 2021 04:30:32 -0800 (PST) (envelope-from freebsd-rwg)
From: "Rodney W. Grimes" <freebsd-rwg@gndrsh.dnsmgr.net>
Message-Id: <202101091230.109CUW1E024555@gndrsh.dnsmgr.net>
Subject: Re: Should we enable KERN_TLS on amd64 for FreeBSD 13?
In-Reply-To: <8eff83e5-49bc-d410-626e-603c03877b80@cs.duke.edu>
To: Andrew Gallatin <gallatin@cs.duke.edu>
Date: Sat, 9 Jan 2021 04:30:32 -0800 (PST)
CC: freebsd-arch@freebsd.org, Rick Macklem <rmacklem@uoguelph.ca>,
 Allan Jude <allanjude@freebsd.org>
X-Mailer: ELM [version 2.4ME+ PL121h (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=US-ASCII
X-Rspamd-Queue-Id: 4DCfSt17j9z4tvq
X-Spamd-Bar: ----
Authentication-Results: mx1.freebsd.org;
	none
X-Spamd-Result: default: False [-4.00 / 15.00];
	 REPLY(-4.00)[]
X-BeenThere: freebsd-arch@freebsd.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Discussion related to FreeBSD architecture <freebsd-arch.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-arch>,
 <mailto:freebsd-arch-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-arch/>
List-Post: <mailto:freebsd-arch@freebsd.org>
List-Help: <mailto:freebsd-arch-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-arch>,
 <mailto:freebsd-arch-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 09 Jan 2021 12:30:38 -0000

> 
> Kernel TLS (KTLS) support was added roughly a year ago, and provides
> an efficient software or hardware accelerated path to have the kernel
> (or the NIC) handle TLS crypto.  This is quite useful for web and
> NFS servers, and provides a huge (2x -> 5x) efficiency gain by
> avoiding data copies into userspace for crypto, and potentially
> offloading the crypto to hardware.
> 
> 
> KTLS is well tested on amd64, having been used in production at Netflix
> for nearly 4 years.   The vast majority of Netflix video has been served
> via KTLS for the last few years.  Its what has allowed us to serve
> 100Gb/s on Xeon 2697A cpus for years, and what allows us to serve
> nearly 400Gb/s on AMD servers with NICs which support crypto offload.
> 
> I have received a few requests to enable it by default in GENERIC, and
> I'd like to get some opinions.
> 
> There are essentially 3 options
> 
> 1) Fully enable KTLS by adding 'options KERN_TLS' to GENERIC, and
> flipping kern.ipc.tls.enable=1
> 
> The advantage of this is that it "just works" out of the box for users,
> and for reviewers.
> 
> The drawback is that new code is thrust on unsuspecting users,
> potentially exposing them to bugs that we have not found in our
> somewhat limited web serving workload.
> 
> 2) Enable KTLS in GENERIC, but leave it turned off by default.
> 
> This option allows users to enable ktls without a rebuild of GENERIC,
> but does not enable it by default. So they can enable it if they
> know about it, but are protected from bugs.
> 
> The disadvantages of this are that it increases the kernel size
> by ~20K, starts up one thread per core on every amd64 machine,
> and it adds more required tuning to get good performance from FreeBSD.
> 
> 
> 3) Continue along with KTLS disabled in GENERIC
> 
> This is the lowest risk, but adds a higher bar for users wanting
> to use ktls.

4) If possible could the few places that have #ifdef be dealt with
   using a switch table or IFUNCs so that the KTLS code could be
   enable at boot time via a loadable module?

> 
> Note that the discussion is focused on amd64 only, as KTLS will
> only work on 64-bit platforms which use a direct map.  It has
> not been tested at all on ppc64, and currently causes a
> panic-at-boot on arm64 due to what are suspected to be problems
> in the arm64 PCB setup. See:
> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=247945
> 
> Drew
> 
-- 
Rod Grimes                                                 rgrimes@freebsd.org