lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Thu, 12 May 2022 16:34:58 -0700
From:   Jakub Kicinski <>
To:     Maxim Mikityanskiy <>
Cc:     "David S. Miller" <>,
        Daniel Borkmann <>,
        Paolo Abeni <>,
        Boris Pismenny <>,
        Tariq Toukan <>,
        "Saeed Mahameed" <>,
        Gal Pressman <>, <>
Subject: Re: [PATCH net-next v2] tls: Add opt-in zerocopy mode of sendfile()

On Wed, 11 May 2022 15:15:25 +0300 Maxim Mikityanskiy wrote:
> TLS device offload copies sendfile data to a bounce buffer before
> transmitting. It allows to maintain the valid MAC on TLS records when
> the file contents change and a part of TLS record has to be
> retransmitted on TCP level.
> In many common use cases (like serving static files over HTTPS) the file
> contents are not changed on the fly. In many use cases breaking the
> connection is totally acceptable if the file is changed during
> transmission, because it would be received corrupted in any case.
> This commit allows to optimize performance for such use cases to
> providing a new optional mode of TLS sendfile(), in which the extra copy
> is skipped. Removing this copy improves performance significantly, as
> TLS and TCP sendfile perform the same operations, and the only overhead
> is TLS header/trailer insertion.
> The new mode can only be enabled with the new socket option named
> TLS_TX_ZEROCOPY_SENDFILE on per-socket basis. It preserves backwards
> compatibility with existing applications that rely on the copying
> behavior.
> The new mode is safe, meaning that unsolicited modifications of the file
> being sent can't break integrity of the kernel. The worst thing that can
> happen is sending a corrupted TLS record, which is in any case not
> forbidden when using regular TCP sockets.
> Sockets other than TLS device offload are not affected by the new socket
> option.

What about the reporting via sock diag? Am I misremembering something? 

Powered by blists - more mailing lists