[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20250901164355.GM15473@horms.kernel.org>
Date: Mon, 1 Sep 2025 17:44:44 +0100
From: Simon Horman <horms@...nel.org>
To: Wilfred Mallawa <wilfred.opensource@...il.com>
Cc: chuck.lever@...cle.com, kernel-tls-handshake@...ts.linux.dev,
"David S . Miller" <davem@...emloft.net>, donald.hunter@...il.com,
edumazet@...gle.com, hare@...nel.org,
Jakub Kicinski <kuba@...nel.org>, john.fastabend@...il.com,
linux-kernel@...r.kernel.org, netdev@...r.kernel.org,
pabeni@...hat.com, wilfred.mallawa@....com,
Hannes Reinecke <hare@...e.de>
Subject: Re: [PATCH] net/tls: allow limiting maximum record size
Corrected Jakub's email address.
On Mon, Sep 01, 2025 at 03:36:19PM +1000, Wilfred Mallawa wrote:
> From: Wilfred Mallawa <wilfred.mallawa@....com>
>
> During a handshake, an endpoint may specify a maximum record size limit.
> Currently, the kernel defaults to TLS_MAX_PAYLOAD_SIZE (16KB) for the
> maximum record size. Meaning that, the outgoing records from the kernel
> can exceed a lower size negotiated during the handshake. In such a case,
> the TLS endpoint must send a fatal "record_overflow" alert [1], and
> thus the record is discarded.
>
> Upcoming Western Digital NVMe-TCP hardware controllers implement TLS
> support. For these devices, supporting TLS record size negotiation is
> necessary because the maximum TLS record size supported by the controller
> is less than the default 16KB currently used by the kernel.
>
> This patch adds support for retrieving the negotiated record size limit
> during a handshake, and enforcing it at the TLS layer such that outgoing
> records are no larger than the size negotiated. This patch depends on
> the respective userspace support in tlshd [2] and GnuTLS [3].
>
> [1] https://www.rfc-editor.org/rfc/rfc8449
> [2] https://github.com/oracle/ktls-utils/pull/112
> [3] https://gitlab.com/gnutls/gnutls/-/merge_requests/2005
>
> Signed-off-by: Wilfred Mallawa <wilfred.mallawa@....com>
> Reviewed-by: Hannes Reinecke <hare@...e.de>
...
> diff --git a/Documentation/netlink/specs/handshake.yaml b/Documentation/netlink/specs/handshake.yaml
> index 95c3fade7a8d..0dbe5d0c8507 100644
> --- a/Documentation/netlink/specs/handshake.yaml
> +++ b/Documentation/netlink/specs/handshake.yaml
> @@ -87,6 +87,9 @@ attribute-sets:
> name: remote-auth
> type: u32
> multi-attr: true
> + -
> + name: record-size-limit
> + type: u32
nit: This indentation is not consistent with the existing spec.
>
> operations:
> list:
And I believe you are missing the following hunk:
@@ -126,6 +126,7 @@ operations:
- status
- sockfd
- remote-auth
+ - record-size-limit
mcast-groups:
list:
...
> diff --git a/net/handshake/genl.c b/net/handshake/genl.c
> index f55d14d7b726..fb8962ae7131 100644
> --- a/net/handshake/genl.c
> +++ b/net/handshake/genl.c
> @@ -16,10 +16,11 @@ static const struct nla_policy handshake_accept_nl_policy[HANDSHAKE_A_ACCEPT_HAN
> };
>
> /* HANDSHAKE_CMD_DONE - do */
> -static const struct nla_policy handshake_done_nl_policy[HANDSHAKE_A_DONE_REMOTE_AUTH + 1] = {
> +static const struct nla_policy handshake_done_nl_policy[__HANDSHAKE_A_DONE_MAX] = {
Although it's necessary to update this file in patches,
it is automatically generated using: make -C tools/net/ynl/
Accordingly, although the meaning is the same, the line above should be:
static const struct nla_policy handshake_done_nl_policy[HANDSHAKE_A_DONE_RECORD_SIZE_LIMIT + 1] = {
> [HANDSHAKE_A_DONE_STATUS] = { .type = NLA_U32, },
> [HANDSHAKE_A_DONE_SOCKFD] = { .type = NLA_S32, },
> [HANDSHAKE_A_DONE_REMOTE_AUTH] = { .type = NLA_U32, },
> + [HANDSHAKE_A_DONE_RECORD_SIZE_LIMIT] = { .type = NLA_U32, },
> };
>
> /* Ops table for handshake */
> @@ -35,7 +36,7 @@ static const struct genl_split_ops handshake_nl_ops[] = {
> .cmd = HANDSHAKE_CMD_DONE,
> .doit = handshake_nl_done_doit,
> .policy = handshake_done_nl_policy,
> - .maxattr = HANDSHAKE_A_DONE_REMOTE_AUTH,
> + .maxattr = HANDSHAKE_A_DONE_MAX,
And this one should be:
.maxattr = HANDSHAKE_A_DONE_RECORD_SIZE_LIMIT,
> .flags = GENL_CMD_CAP_DO,
> },
> };
...
--
pw-bot: changes-requested
Powered by blists - more mailing lists