lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 26 Apr 2022 08:02:47 -0700
From:   Jakub Kicinski <kuba@...nel.org>
To:     Sagi Grimberg <sagi@...mberg.me>
Cc:     Hannes Reinecke <hare@...e.de>,
        Chuck Lever <chuck.lever@...cle.com>, netdev@...r.kernel.org,
        linux-nfs@...r.kernel.org, linux-nvme@...ts.infradead.org,
        linux-cifs@...r.kernel.org, linux-fsdevel@...r.kernel.org,
        ak@...pesta-tech.com, borisp@...dia.com, simo@...hat.com
Subject: Re: [PATCH RFC 4/5] net/tls: Add support for PF_TLSH (a TLS
 handshake listener)

On Tue, 26 Apr 2022 17:29:03 +0300 Sagi Grimberg wrote:
> >> Create the socket in user space, do all the handshakes you need there
> >> and then pass it to the kernel.  This is how NBD + TLS works.  Scales
> >> better and requires much less kernel code.
> >>  
> > But we can't, as the existing mechanisms (at least for NVMe) creates the 
> > socket in-kernel.
> > Having to create the socket in userspace would require a completely new 
> > interface for nvme and will not be backwards compatible.  
> 
> And we will still need the upcall anyways when we reconnect 
> (re-establish the socket)

That totally flew over my head, I have zero familiarity with in-kernel
storage network users :S

In all honesty the tls code in the kernel is a bit of a dumping ground.
People come, dump a bunch of code and disappear. Nobody seems to care
that the result is still (years in) not ready for production use :/
Until a month ago it'd break connections even under moderate memory
pressure. This set does not even have selftests.

Plus there are more protocols being actively worked on (QUIC, PSP etc.)
Having per ULP special sauce to invoke a user space helper is not the
paradigm we chose, and the time as inopportune as ever to change that.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ