Date: Thu, 22 Feb 2018 13:12:41 -0500 From: Drew Gallatin <gallatin@netflix.com> To: freebsd-transport@freebsd.org Subject: Netflix kernel TLS Message-ID: <CADLQ3sLPoG8qEO21BaoAGcS0XOSDmgVA9%2B0xAy7JujpxUAwh=A@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
As discussed in the meeting today, I have backported our kernel TLS to an upstream kernel and made it available for comment. See the nf_ktls branch of my public github: https://github.com/gallatin/freebsd/tree/nf_ktls It is enabled by 'options KERN_TLS" A few random facts: - This is transmit only. - Applications linking to OpenSSL are automatically accelerated, for socket writes assuming that a compatible cipher is supported in the kernel. - It adds a new OpenSSL API entry point, SSL_sendfile(), which is self explanatory. You can see example usage in our patch to nginx, at https://people.freebsd.org/~gallatin/nginx_ssl_sendfile.diff - It has been tested and run only on AMD64. I suspect it will work on any arch with a direct map. (eg, PHYS_TO_DMAP, DMAP_TO_PHYS) - It requires my vectorized unmapped mbufs (present in that branch). Note that my vectorized mbufs should work on any arch, and I've measured speedups on i386, simply because we avoid mapping sf_bufs. - It requires a backend crypto module to support the actual encryption. I totally suck at ports, but I've left a port of intel-isa-l at https://people.freebsd.org/~gallatin/intel-isa-aes-kmod.txz Best regards, Drew
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CADLQ3sLPoG8qEO21BaoAGcS0XOSDmgVA9%2B0xAy7JujpxUAwh=A>