lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 13 May 2022 10:57:06 +0300 From: Maxim Mikityanskiy <maximmi@...dia.com> To: Jakub Kicinski <kuba@...nel.org> Cc: "David S. Miller" <davem@...emloft.net>, Daniel Borkmann <daniel@...earbox.net>, Paolo Abeni <pabeni@...hat.com>, Boris Pismenny <borisp@...dia.com>, Tariq Toukan <tariqt@...dia.com>, Saeed Mahameed <saeedm@...dia.com>, Gal Pressman <gal@...dia.com>, netdev@...r.kernel.org Subject: Re: [PATCH net-next v2] tls: Add opt-in zerocopy mode of sendfile() On 2022-05-13 02:34, Jakub Kicinski wrote: > On Wed, 11 May 2022 15:15:25 +0300 Maxim Mikityanskiy wrote: >> TLS device offload copies sendfile data to a bounce buffer before >> transmitting. It allows to maintain the valid MAC on TLS records when >> the file contents change and a part of TLS record has to be >> retransmitted on TCP level. >> >> In many common use cases (like serving static files over HTTPS) the file >> contents are not changed on the fly. In many use cases breaking the >> connection is totally acceptable if the file is changed during >> transmission, because it would be received corrupted in any case. >> >> This commit allows to optimize performance for such use cases to >> providing a new optional mode of TLS sendfile(), in which the extra copy >> is skipped. Removing this copy improves performance significantly, as >> TLS and TCP sendfile perform the same operations, and the only overhead >> is TLS header/trailer insertion. >> >> The new mode can only be enabled with the new socket option named >> TLS_TX_ZEROCOPY_SENDFILE on per-socket basis. It preserves backwards >> compatibility with existing applications that rely on the copying >> behavior. >> >> The new mode is safe, meaning that unsolicited modifications of the file >> being sent can't break integrity of the kernel. The worst thing that can >> happen is sending a corrupted TLS record, which is in any case not >> forbidden when using regular TCP sockets. >> >> Sockets other than TLS device offload are not affected by the new socket >> option. > > What about the reporting via sock diag? Am I misremembering something? I recall we discussed that "zerocopy is active" can be restored as "hardware offload && setsockopt flag requested", and I saw that tls_get_info exposes the hardware offload state for the socket, so I thought the existing information in sock_diag was enough. If you think, though, that it will be better to have an explicit indication of the zerocopy flag to sock_diag, I can add it, it's not a problem. Does the rest of the patch look good to you? Thanks, Max
Powered by blists - more mailing lists