[LSF/MM/BPF TOPIC][LSF/MM/BPF ATTEND] TLS handshake for in-kernel consumers

[Hannes Reinecke]

Hi all,

nvme-over-tcp has the option to utilize TLS for encrypted traffic, but 
due to the internal design of the nvme-over-fabrics stack we cannot 
initiate the TLS connection from userspace (as the current in-kernel TLS 
implementation is designed).

This leaves us with two options:
1) Put TLS handshake into the kernel (which will be quite some
   discussion as it's arguably a userspace configuration)
2) Pass an in-kernel socket to userspace and have a userspace
   application to run the TLS handshake.

None of these options are quiet clear cut, as we will be have to put
quite some complexity into the kernel to do full TLS handshake (if we
were to go with option 1) or will have to design a mechanism to pass
an in-kernel socket to userspace as we don't do that currently (if we 
were going with option 2).

We have been discussing some ideas on how to implement option 2 
(together with Chuck Lever and the NFS crowd), but so far haven't been 
able to come up with a decent design.

So I would like to discuss with interested parties on how TLS handshake 
could be facilitated, and what would be the best design options here.

The proposed configd would be an option, but then we don't have that, 
either :-)

Required attendees:

Chuck Lever
James Bottomley
Sagi Grimberg
Keith Busch
Christoph Hellwig
David Howells

Cheers,

Hannes
-- 
Dr. Hannes Reinecke		           Kernel Storage Architect
hare at suse.de			                  +49 911 74053 688
SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 Nürnberg
HRB 36809 (AG Nürnberg), GF: Felix Imendörffer