Date: Sat, 9 Jan 2021 14:08:27 +0000 From: Rick Macklem <rmacklem@uoguelph.ca> To: John Baldwin <jhb@FreeBSD.org>, Andrew Gallatin <gallatin@cs.duke.edu>, "freebsd-arch@FreeBSD.org" <freebsd-arch@FreeBSD.org>, Allan Jude <allanjude@freebsd.org> Subject: Re: Should we enable KERN_TLS on amd64 for FreeBSD 13? Message-ID: <YQXPR0101MB096889C6383CD9579F019EF3DDAD0@YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM> In-Reply-To: <4fe4a57c-8c43-a677-4872-d0671104c414@FreeBSD.org> References: <8eff83e5-49bc-d410-626e-603c03877b80@cs.duke.edu> <20210108214446.GJ31099@funkthat.com>, <4fe4a57c-8c43-a677-4872-d0671104c414@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
John Baldwin wrote:=0A= >John-Mark Gurney wrote:=0A= >> Andrew Gallatin wrote:=0A= >>>=0A= >>> There are essentially 3 options=0A= >>>=0A= >>> 1) Fully enable KTLS by adding 'options KERN_TLS' to GENERIC, and=0A= >>> flipping kern.ipc.tls.enable=3D1=0A= >>>=0A= >>> The advantage of this is that it "just works" out of the box for users,= =0A= >>> and for reviewers.=0A= >>>=0A= >>> The drawback is that new code is thrust on unsuspecting users,=0A= >>> potentially exposing them to bugs that we have not found in our=0A= >>> somewhat limited web serving workload.=0A= >>=0A= >> This is my vote.=0A= >>=0A= >> I assume that the in tree and ports tree OpenSSL libraries will make=0A= >> use of it when present? Does this mean fetch and the like will also=0A= >> use it when talking w/ https website? (that's a nice benefit).=0A= >=0A= >In tree OpenSSL does not support KTLS. OpenSSL considers KTLS support=0A= >too large of a feature to officially backport to the 1.1.1 branch, so=0A= >if we add it in base, it will mean keeping it as a local diff.=0A= >=0A= >OTOH, I do maintain a backport of KTLS to 1.1.1 and there is a KTLS=0A= >option for the security/openssl port (not on by default, it perhaps=0A= >should be on 13?) which includes KTLS support. security/openssl-devel=0A= >(which tracks OpenSSL 3) also has a KTLS option that probably should=0A= >be enabled by default on 13 as it only consists of enabling the=0A= >option without requiring patches to the port.=0A= As of r557013, the KTLS option is enabled by default in openssl-devel.=0A= =0A= >I can raise the issue again with secteam about importing KTLS into the=0A= >base OpenSSL. I think the main issue is the risk of getting a merge=0A= >conflict when merging in an SA, though from my experience maintaining=0A= >the KTLS patchset against 1.1.1 for the past year or so, I expect that=0A= >risk to be fairly low.=0A= >=0A= >Personally, it would make my life a bit happier as a developer using=0A= >KTLS for it to at least be in GENERIC by default, but that's a pretty=0A= >narrow use case. :)=0A= =0A= I don't know what the relationship between ports and packages is,=0A= but if there is soon a package for openssl-devel (with KTLS enabled=0A= like it is in ports), then no build from sources would be needed for=0A= openssl.=0A= --> It is unfortunate that Openssl3 (openssl-devel) is still in alpha test.= =0A= =0A= If there is a package for an openssl with KTLS support, then having KERN_TL= S=0A= in GENERIC might be nice, since no source builds would be needed.=0A= (I have no preference w.r.t "enabled by default", since the=0A= sysctl can easily be set via sysctl.conf.)=0A= =0A= Although nfs-over-tls is not yet implemented for non-FreeBSD=0A= systems, I would like to see it become easy to enable during the=0A= FreeBSD release cycle and having KERN_TLS in GENERIC would=0A= be a step in that direction.=0A= =0A= Oh, and I'm not saying it is worth changing, but having Openssl=0A= use KTLS and the kernel use KERN_TLS slightly obscures the fact=0A= that they refer to related code.=0A= =0A= rick=0A= =0A= --=0A= John Baldwin=0A=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?YQXPR0101MB096889C6383CD9579F019EF3DDAD0>