| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 12 May 2024 21:24:23 -0400 From: Willem de Bruijn <willemdebruijn.kernel@...il.com> To: Jakub Kicinski <kuba@...nel.org>, netdev@...r.kernel.org Cc: pabeni@...hat.com, willemdebruijn.kernel@...il.com, borisp@...dia.com, gal@...dia.com, cratiu@...dia.com, rrameshbabu@...dia.com, steffen.klassert@...unet.com, tariqt@...dia.com, Jakub Kicinski <kuba@...nel.org> Subject: Re: [RFC net-next 01/15] psp: add documentation Jakub Kicinski wrote: > Add documentation of things which belong in the docs rather > than commit messages. > > Signed-off-by: Jakub Kicinski <kuba@...nel.org> > --- > Documentation/networking/index.rst | 1 + > Documentation/networking/psp.rst | 138 +++++++++++++++++++++++++++++ > 2 files changed, 139 insertions(+) > create mode 100644 Documentation/networking/psp.rst > > diff --git a/Documentation/networking/index.rst b/Documentation/networking/index.rst > index 7664c0bfe461..0376029ecbdf 100644 > --- a/Documentation/networking/index.rst > +++ b/Documentation/networking/index.rst > @@ -94,6 +94,7 @@ Refer to :ref:`netdev-FAQ` for a guide on netdev development process specifics. > ppp_generic > proc_net_tcp > pse-pd/index > + psp > radiotap-headers > rds > regulatory > diff --git a/Documentation/networking/psp.rst b/Documentation/networking/psp.rst > new file mode 100644 > index 000000000000..a39b464813ab > --- /dev/null > +++ b/Documentation/networking/psp.rst > @@ -0,0 +1,138 @@ > +.. SPDX-License-Identifier: GPL-2.0-only > + > +===================== > +PSP Security Protocol > +===================== > + > +Protocol > +======== > + > +PSP Security Protocol (PSP) was defined at Google and published in: > + > +https://raw.githubusercontent.com/google/psp/main/doc/PSP_Arch_Spec.pdf > + > +This section briefly covers protocol aspects crucial for understanding > +the kernel API. Refer to the protocol specification for further details. > + > +Note that the kernel implementation and documentation uses the term > +"secret state" in place of "master key", it is both less confusing > +to an average developer and is less likely to run afoul any naming > +guidelines. There is some value in using the same terminology in the code as in the spec. And the session keys are derived from a key. That is more precise than state. Specifically, counter-mode KDF from an AES key. Perhaps device key, instead of master key? > +Derived Rx keys > +--------------- > + > +PSP borrows some terms and mechanisms from IPsec. PSP was designed > +with HW offloads in mind. The key feature of PSP is that Rx keys for every > +connection do not have to be stored by the receiver but can be derived > +from secret state and information present in packet headers. A second less obvious, but neat, feature is that it supports an encryption offset, such that (say) the L4 ports are integrity protected, but not encrypted, to allow for in-network telemetry. > +This makes it possible to implement receivers which require a constant > +amount of memory regardless of the number of connections (``O(1)`` scaling). > + > +Tx keys have to be stored like with any other protocol, Keys can optionally be passed in descriptor. > +The expectation is that higher layer protocols will take care of > +protocol and key negotiation. For example one may use TLS key exchange, > +announce the PSP capability, and switch to PSP if both endpoints > +are PSP-capable. > +Securing a connection > +--------------------- > + > +PSP encryption is currently only supported for TCP connections. > +Rx and Tx keys are allocated separately. First the ``rx-assoc`` > +Netlink command needs to be issued, specifying a target TCP socket. > +Kernel will allocate a new PSP Rx key from the NIC and associate it > +with given socket. At this stage socket will accept both PSP-secured > +and plain text TCP packets. > + > +Tx keys are installed using the ``tx-assoc`` Netlink command. > +Once the Tx keys are installed all data read from the socket will > +be PSP-secured. In other words act of installing Tx keys has the secondary > +effect on the Rx direction, requring all received packets to be encrypted. Consider clarifying the entire state diagram from when one pair initiates upgrade. And some edge cases: - retransmits - TCP fin handshake, if only one peer succeeds - TCP control socket response to encrypted pkt What is the expectation for data already queued for transmission when the tx assocation is made? More generally, what happens for data in flight. One possible simplification is to only allow an upgrade sequence (possibly including in-band exchange of keys) when no other data is in flight. > +Since packet reception is asynchronous, to make it possible for the > +application to trust that any data read from the socket after the ``tx-assoc`` > +call returns success has been encrypted, the kernel will scan the receive > +queue of the socket at ``tx-assoc`` time. If any enqueued packet was received > +in clear text the Tx association will fail, and application should retry > +installing the Tx key after draining the socket (this should not be necessary > +if both endpoints are well behaved). > + > +Rotation notifications > +---------------------- > + > +The rotations of secret state happen asynchornously and are usually typo: asynchronously > +performed by management daemons, not under application control. > +The PSP netlink family will generate a notification whenever keys > +are rotated. The applications are expected to re-establish connections > +before keys are rotated again. Connection key rotation is not supported? I did notice that tx key insertion fails if a key is already present, so this does appear to be the behavior.
Powered by blists - more mailing lists