[PATCH RFC 0/5] Implement a TLS handshake upcall

Chuck Lever chuck.lever at oracle.com
Mon Apr 18 09:49:22 PDT 2022 

There are a few upper-layer (storage) protocols that want to have a
full TLS implementation available in the Linux kernel.

The Linux kernel currently has an implementation of the TLS record
protocol, known as kTLS. However it does not have a complete TLS
implementation because it has no implementation of the TLS handshake
protocol. In-kernel storage protocols need both to use TLS properly.

In the long run, our preference is to have a TLS handshake
implementation in the kernel. However, it appears that would take a
long time and there is some desire to avoid adding to the Linux
kernel's "attack surface" without good reasons. So in the meantime
we've created a prototype handshake implementation that calls out to
user space where the actual handshake can be done by an existing
library implementation of TLS.

The prototype serves several purposes, including:

- Proof of concept: can a handshake upcall actually be implemented?

- Scaffold to enable prototyping upper-layer protocol support for TLS:
  Is there any demand for in-kernel TLS?

- Performance impact of always-on encryption with both software and
  hardware kTLS

- Understanding what features, if any, an upcall handshake cannot
  provide

The prototype currently supports client-side PSK and anonymous
x.509 ClientHello. We would like some feedback on the approach
before proceeding with ServerHello and mutual x.509 authentication.


User agent: https://github.com/oracle/ktls-utils

Who will use this implementation?
--------------------------------

This series implements only the upcall. I plan to post a second
series that shows how it can be used to implement the RPC-with-TlS
standard: https://datatracker.ietf.org/doc/draft-ietf-nfsv4-rpc-tls/

https://git.kernel.org/pub/scm/linux/kernel/git/cel/linux.git topic-rpc-with-tls

Dr. Hannes Reinecke has a series that implements NVMe-TLS here:

https://git.kernel.org/pub/scm/linux/kernel/git/hare/scsi-devel.git tls-upcall.v4

We are also working with a few developers in the CIFS community
who are interested in SMB-over-QUIC. QUICv1 (RFC 9000) uses the
TLSv1.3 handshake protocol, and we hope they can leverage this
prototype capability when QUIC comes to the Linux kernel.

---

Chuck Lever (4):
      net: Add distinct sk_psock field
      net/tls: Add an AF_TLSH address family
      net/tls: Add support for PF_TLSH (a TLS handshake listener)
      net/tls: Add observability for AF_TLSH sockets

Hannes Reinecke (1):
      tls: build proto after context has been initialized


 .../networking/tls-in-kernel-handshake.rst    |  103 ++
 include/linux/skmsg.h                         |    2 +-
 include/linux/socket.h                        |    5 +-
 include/net/sock.h                            |    7 +-
 include/net/tls.h                             |   15 +
 include/net/tlsh.h                            |   22 +
 include/uapi/linux/tls.h                      |   16 +
 net/core/skmsg.c                              |    6 +-
 net/core/sock.c                               |    4 +-
 net/socket.c                                  |    1 +
 net/tls/Makefile                              |    2 +-
 net/tls/af_tlsh.c                             | 1078 +++++++++++++++++
 net/tls/tls_main.c                            |   13 +-
 net/tls/trace.c                               |    3 +
 net/tls/trace.h                               |  355 ++++++
 security/selinux/hooks.c                      |    4 +-
 security/selinux/include/classmap.h           |    4 +-
 .../perf/trace/beauty/include/linux/socket.h  |    4 +-
 18 files changed, 1631 insertions(+), 13 deletions(-)
 create mode 100644 Documentation/networking/tls-in-kernel-handshake.rst
 create mode 100644 include/net/tlsh.h
 create mode 100644 net/tls/af_tlsh.c

--
Chuck Lever

More information about the Linux-nvme mailing list