From owner-freebsd-arch@freebsd.org Sat Jan 9 14:08:29 2021 Return-Path: Delivered-To: freebsd-arch@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 3B2DD4D5B18 for ; Sat, 9 Jan 2021 14:08:29 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) Received: from CAN01-QB1-obe.outbound.protection.outlook.com (mail-eopbgr660058.outbound.protection.outlook.com [40.107.66.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail.protection.outlook.com", Issuer "GlobalSign Organization Validation CA - SHA256 - G3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4DChdn00Cpz3GdC; Sat, 9 Jan 2021 14:08:28 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=kNAlYmYnbQ6wPH1rZ5iqqW0erYiWX9xGzbeIxywuK7YZLi0IueMwqzEVdmWXiM/ldjd++7UWxO2d14cZNBBx62n9LEGy5ZXesmvCRApQ79t4zU+h6KtiOY5aGqp0iGfRAeAv5b2bxYAWWJLTUdF2bqayfnWchqPJUzM8RMVGeUtT6RD8jXPOxHASS6kmnKYEHMw/Lta+KnoPxyj4vk9aFywBXO8wv3HiTzjTyDkzz0GCqo2+JjFTLIO6NYRePxlYCBOtr75ZaJZlaYSayCZOqNF/1FRXRhomVKTiR6LceB6IhrS/vt8U5uxXp+L7llTIaOEDGHtTD/cOZMIkwT3fow== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=cgxoTaG8nCpfS3PyU1uTqmVTStsQEfeuoORWb3V55Vk=; b=gN2VktZCMPOqywWKrqlcpTPosNaDqBBGOZI6Tz7jV69nsRHZkhSa22/wRWrEJ7QrQcdmP6WeoF3MgvSUsZl7DxUuftPa3JbII1AyFnflq3I3aAo8l8yCSCk+tCMfOVVj8yy/4neSJtMegwxt3KiQrhtUJYtjr2JYTUqHJd1i/ZSx2dpRYF+rRp23xo8YfTO6YdpEtWzKpnqbzYjhF4r62MGurRKA6NbAShOrrbQdfBqhaPVExMiI23Tl9RuddnZUuUnSs+auYdXLb4VHs1lTl7RuUfgb5mDjGz5C83jFbgvrkh/6sARzfYBy4r7UYoGtQYQ/JhZCxtPn6uyDPQOBww== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=uoguelph.ca; dmarc=pass action=none header.from=uoguelph.ca; dkim=pass header.d=uoguelph.ca; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=uoguelph.ca; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=cgxoTaG8nCpfS3PyU1uTqmVTStsQEfeuoORWb3V55Vk=; b=lwAFMqgEK+moCrBjAQp9FmmlpGb6V/Fpn8MhDiwcuMIvXOs5RikMuraqps0f5zlBapQ0OccijzQL2UpmA1LDDV9niiEyPMNnm2JZLtaYnT94gBeKIf2mB+bWv4iV1//WZaTY6GWM7/P2UNWqId/YWu2rUtx9Gj4Mt7odLWr4VZQ4sGV+Klhh/EVzGpNJpxJKvq6v5HqPkQEIC+WnJllvY3RCwJPja32jAz6m+cRo7N6drdLhUrQZc4CGjeJKTpZoGjbL224WIrcbZU9dkHQtITufGVc0XFR5fgR+weRP+7tLSzBeUWgyMWGzVLR8c+0Uz9ShodOSK19QpqkNXIyBAQ== Received: from YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM (2603:10b6:c00:19::29) by YQXPR01MB2790.CANPRD01.PROD.OUTLOOK.COM (2603:10b6:c00:4e::30) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3742.6; Sat, 9 Jan 2021 14:08:27 +0000 Received: from YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM ([fe80::3d86:c7f9:bc4c:40c0]) by YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM ([fe80::3d86:c7f9:bc4c:40c0%6]) with mapi id 15.20.3742.006; Sat, 9 Jan 2021 14:08:27 +0000 From: Rick Macklem To: John Baldwin , Andrew Gallatin , "freebsd-arch@FreeBSD.org" , Allan Jude Subject: Re: Should we enable KERN_TLS on amd64 for FreeBSD 13? Thread-Topic: Should we enable KERN_TLS on amd64 for FreeBSD 13? Thread-Index: AQHW5eNvRyaqghxs0EmWNOwUeGmWsqoeQzCAgAA3aoCAANV/3w== Date: Sat, 9 Jan 2021 14:08:27 +0000 Message-ID: References: <8eff83e5-49bc-d410-626e-603c03877b80@cs.duke.edu> <20210108214446.GJ31099@funkthat.com>, <4fe4a57c-8c43-a677-4872-d0671104c414@FreeBSD.org> In-Reply-To: <4fe4a57c-8c43-a677-4872-d0671104c414@FreeBSD.org> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 5bf7d76b-6bc7-4bdb-82df-08d8b4a80937 x-ms-traffictypediagnostic: YQXPR01MB2790: x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:10000; x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: VveDE/9eXmvi0OyMm2M2yg0j/zzmdDqUq7ZSX8GD1vb5e9vZB+ItrkSnTsuoHkgmubNB0zYluZ3RRrf0ZDPpj30Lk9vW9qXE0B9KJ4+mnQfbIFRH4vW/R3aVtjeIsQdf7Ugu6weFiTiXO6dXDVN3sQbq6EEMlPBShpOZ+WzlDXB92SX8Jx3HyfYqyIcKeGBjjbzuAcCoHvDbcUxAAJt9mSMUCKiDseYIDGNwiwDJSKHX6IMSmzq1PoNPvPYAE+x93DN5W8mRqbLHJ7e6f1Cj/YOiWBCgTzTqfjtvibbwReBlLZJU68Ejwbsz49e2TaPnwNjh4p+SnzL6kUBGu6Kb3J1Z3L11P8p+x+J90Gb1QjfPxJbE+gptlI6dmd7k6NaZdvvPwrDFqDC56F6AELZOsg== x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(39860400002)(366004)(376002)(346002)(396003)(136003)(8936002)(786003)(5660300002)(186003)(316002)(33656002)(110136005)(86362001)(7696005)(6506007)(52536014)(83380400001)(76116006)(2906002)(66446008)(91956017)(478600001)(66476007)(66946007)(64756008)(55016002)(8676002)(71200400001)(66556008)(9686003); DIR:OUT; SFP:1101; x-ms-exchange-antispam-messagedata: =?iso-8859-1?Q?87Kac5u26VfqtifvQp+vxc8F+jP5a4Pj9u9Vr4IepV8T5wke+ViDSoPVz8?= =?iso-8859-1?Q?HE7zTzZ2bDjX+3T9h60qr/L3JKujxyycRJYnNx2bSz8TUlWsq09b33sfDJ?= =?iso-8859-1?Q?CE93fO+RbqoYAOAKXaVCtqGB6igR4icgBbvNzgQfS7XRzxMWYwolB+qLnU?= =?iso-8859-1?Q?3x7+gtkVBYOm1zugdeI2DQRZO6rLCkKdykuxm7LKT2SQ+KaDRACBvCxkKp?= =?iso-8859-1?Q?QiKiIyrQW/3YZz77BT/0k6IzG44cQtnsLr7kMY4RckQ0/yVH5LbrJkx9pq?= =?iso-8859-1?Q?JaAvuNJFwjTx3bda/LLPDg8jTR2nEpjPXaq8RuEUyrQZN6j2pAAZkLIOaC?= =?iso-8859-1?Q?j467Fb8M9mpIkzMzdkme3D43yiXMPU8YpGdity6HxKcq3pWi9hGxO4SfPa?= =?iso-8859-1?Q?y0e50PuJPR8NzvdZv+wunkxu16NdlrUNHWHw2fKVGjYAmNgh4z/PgiEsn3?= =?iso-8859-1?Q?iTiB8ZmfL+OAJi13AS1a/fjyz8no0MuAPVv910HOxLRd+DUfb85F26l0h+?= =?iso-8859-1?Q?q9ip11c1/cDCT1hsamhdLMsrAjNcuu0rLIHTwERUgt5aTfO9s52KWRRtxT?= =?iso-8859-1?Q?u6hdlKsCbLgnyUyPCJ/saBL+MFgTY8GYvDNPvUxvY287sVr+sKi5930nfr?= =?iso-8859-1?Q?+dGo+g2DrPI+Dn6fK2UdbyeOcJLDODapbMKrjzMECdPWld1n+Gks6IzhLD?= =?iso-8859-1?Q?n9laVN4WCFplAaDdzt1Y+H2lnUQZdpSQNtem3EJvXgbCSDNvOk/JtDkEj/?= =?iso-8859-1?Q?ytIj8VzI6QqIJEdAYcwYlD49ZZdQo9pyq6ukees/Xkmi7MZ1yEKyum8G71?= =?iso-8859-1?Q?dlHc0oiGlHUr6rD77oQcGRw9czONrX3OSDa3AYBbnuxJpo6a+NqYq2BEAF?= =?iso-8859-1?Q?LzGZ3drRdgVHfpv2P+qQChRlPhW9IwObF3tYQVXHDUuiTohRG6v2Nbi34Y?= =?iso-8859-1?Q?7h/ysR0o1QP7dSYw228W+uzGFWh2I8Nwhyp7PJBAGlU2r514+0E3xcCQx7?= =?iso-8859-1?Q?d9LmVBaWYiXVW6qMqK6UahZKm0N+/0qeWrwrUua4Ekorrt6pB0Y17kdzVr?= =?iso-8859-1?Q?+cyQfN0wjcjJzGeEueBxxTc=3D?= x-ms-exchange-transport-forked: True Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: uoguelph.ca X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-Network-Message-Id: 5bf7d76b-6bc7-4bdb-82df-08d8b4a80937 X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Jan 2021 14:08:27.4094 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: be62a12b-2cad-49a1-a5fa-85f4f3156a7d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: 914tlW3iLRDBtyrWfI/6khce3Jq5kP7VfQ7BlSuVmRHX/lWX/6q+nLL7ZDjtVheMFtFhNQ1GaUjmfhZuQjgCoQ== X-MS-Exchange-Transport-CrossTenantHeadersStamped: YQXPR01MB2790 X-Rspamd-Queue-Id: 4DChdn00Cpz3GdC X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[] X-BeenThere: freebsd-arch@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Discussion related to FreeBSD architecture List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 09 Jan 2021 14:08:29 -0000 John Baldwin wrote:=0A= >John-Mark Gurney wrote:=0A= >> Andrew Gallatin wrote:=0A= >>>=0A= >>> There are essentially 3 options=0A= >>>=0A= >>> 1) Fully enable KTLS by adding 'options KERN_TLS' to GENERIC, and=0A= >>> flipping kern.ipc.tls.enable=3D1=0A= >>>=0A= >>> The advantage of this is that it "just works" out of the box for users,= =0A= >>> and for reviewers.=0A= >>>=0A= >>> The drawback is that new code is thrust on unsuspecting users,=0A= >>> potentially exposing them to bugs that we have not found in our=0A= >>> somewhat limited web serving workload.=0A= >>=0A= >> This is my vote.=0A= >>=0A= >> I assume that the in tree and ports tree OpenSSL libraries will make=0A= >> use of it when present? Does this mean fetch and the like will also=0A= >> use it when talking w/ https website? (that's a nice benefit).=0A= >=0A= >In tree OpenSSL does not support KTLS. OpenSSL considers KTLS support=0A= >too large of a feature to officially backport to the 1.1.1 branch, so=0A= >if we add it in base, it will mean keeping it as a local diff.=0A= >=0A= >OTOH, I do maintain a backport of KTLS to 1.1.1 and there is a KTLS=0A= >option for the security/openssl port (not on by default, it perhaps=0A= >should be on 13?) which includes KTLS support. security/openssl-devel=0A= >(which tracks OpenSSL 3) also has a KTLS option that probably should=0A= >be enabled by default on 13 as it only consists of enabling the=0A= >option without requiring patches to the port.=0A= As of r557013, the KTLS option is enabled by default in openssl-devel.=0A= =0A= >I can raise the issue again with secteam about importing KTLS into the=0A= >base OpenSSL. I think the main issue is the risk of getting a merge=0A= >conflict when merging in an SA, though from my experience maintaining=0A= >the KTLS patchset against 1.1.1 for the past year or so, I expect that=0A= >risk to be fairly low.=0A= >=0A= >Personally, it would make my life a bit happier as a developer using=0A= >KTLS for it to at least be in GENERIC by default, but that's a pretty=0A= >narrow use case. :)=0A= =0A= I don't know what the relationship between ports and packages is,=0A= but if there is soon a package for openssl-devel (with KTLS enabled=0A= like it is in ports), then no build from sources would be needed for=0A= openssl.=0A= --> It is unfortunate that Openssl3 (openssl-devel) is still in alpha test.= =0A= =0A= If there is a package for an openssl with KTLS support, then having KERN_TL= S=0A= in GENERIC might be nice, since no source builds would be needed.=0A= (I have no preference w.r.t "enabled by default", since the=0A= sysctl can easily be set via sysctl.conf.)=0A= =0A= Although nfs-over-tls is not yet implemented for non-FreeBSD=0A= systems, I would like to see it become easy to enable during the=0A= FreeBSD release cycle and having KERN_TLS in GENERIC would=0A= be a step in that direction.=0A= =0A= Oh, and I'm not saying it is worth changing, but having Openssl=0A= use KTLS and the kernel use KERN_TLS slightly obscures the fact=0A= that they refer to related code.=0A= =0A= rick=0A= =0A= --=0A= John Baldwin=0A=