1d1e05529SJohn Baldwin.\" Copyright (c) 2020, Chelsio Inc 2d1e05529SJohn Baldwin.\" All rights reserved. 3d1e05529SJohn Baldwin.\" 4d1e05529SJohn Baldwin.\" Redistribution and use in source and binary forms, with or without 5d1e05529SJohn Baldwin.\" modification, are permitted provided that the following conditions are met: 6d1e05529SJohn Baldwin.\" 7d1e05529SJohn Baldwin.\" 1. Redistributions of source code must retain the above copyright notice, 8d1e05529SJohn Baldwin.\" this list of conditions and the following disclaimer. 9d1e05529SJohn Baldwin.\" 10d1e05529SJohn Baldwin.\" 2. Redistributions in binary form must reproduce the above copyright 11d1e05529SJohn Baldwin.\" notice, this list of conditions and the following disclaimer in the 12d1e05529SJohn Baldwin.\" documentation and/or other materials provided with the distribution. 13d1e05529SJohn Baldwin.\" 14d1e05529SJohn Baldwin.\" 3. Neither the name of the Chelsio Inc nor the names of its 15d1e05529SJohn Baldwin.\" contributors may be used to endorse or promote products derived from 16d1e05529SJohn Baldwin.\" this software without specific prior written permission. 17d1e05529SJohn Baldwin.\" 18d1e05529SJohn Baldwin.\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 19d1e05529SJohn Baldwin.\" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20d1e05529SJohn Baldwin.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21d1e05529SJohn Baldwin.\" ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE 22d1e05529SJohn Baldwin.\" LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 23d1e05529SJohn Baldwin.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 24d1e05529SJohn Baldwin.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 25d1e05529SJohn Baldwin.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 26d1e05529SJohn Baldwin.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 27d1e05529SJohn Baldwin.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 28d1e05529SJohn Baldwin.\" POSSIBILITY OF SUCH DAMAGE. 29d1e05529SJohn Baldwin.\" 30d1e05529SJohn Baldwin.\" * Other names and brands may be claimed as the property of others. 31d1e05529SJohn Baldwin.\" 32d1e05529SJohn Baldwin.\" $FreeBSD$ 33d1e05529SJohn Baldwin.\" 34*c5a36562SJohn Baldwin.Dd March 8, 2021 35d1e05529SJohn Baldwin.Dt KTLS 4 36d1e05529SJohn Baldwin.Os 37d1e05529SJohn Baldwin.Sh NAME 38d1e05529SJohn Baldwin.Nm ktls 39d1e05529SJohn Baldwin.Nd kernel Transport Layer Security 40d1e05529SJohn Baldwin.Sh SYNOPSIS 41d1e05529SJohn Baldwin.Cd options KERN_TLS 42d1e05529SJohn Baldwin.Sh DESCRIPTION 43d1e05529SJohn BaldwinThe 44d1e05529SJohn Baldwin.Nm 45d1e05529SJohn Baldwinfacility allows the kernel to perform Transport Layer Security (TLS) 46d1e05529SJohn Baldwinframing on TCP sockets. 47d1e05529SJohn BaldwinWith 48d1e05529SJohn Baldwin.Nm , 49d1e05529SJohn Baldwinthe initial handshake for a socket using TLS is performed in userland. 50d1e05529SJohn BaldwinOnce the session keys are negotiated, 51d1e05529SJohn Baldwinthey are provided to the kernel via the 52d1e05529SJohn Baldwin.Dv TCP_TXTLS_ENABLE 53d1e05529SJohn Baldwinand 54d1e05529SJohn Baldwin.Dv TCP_RXTLS_ENABLE 55d1e05529SJohn Baldwinsocket options. 56d1e05529SJohn BaldwinBoth socket options accept a 57*c5a36562SJohn Baldwin.Vt struct tls_enable 58d1e05529SJohn Baldwinstructure as their argument. 59d1e05529SJohn BaldwinThe members of this structure describe the cipher suite used for the 60d1e05529SJohn BaldwinTLS session and provide the session keys used for the respective 61d1e05529SJohn Baldwindirection. 62d1e05529SJohn Baldwin.Pp 63d1e05529SJohn Baldwin.Nm 64d1e05529SJohn Baldwinonly permits the session keys to be set once in each direction. 65d1e05529SJohn BaldwinAs a result, 66d1e05529SJohn Baldwinapplications must disable rekeying when using 67d1e05529SJohn Baldwin.Nm . 68d1e05529SJohn Baldwin.Ss Modes 69d1e05529SJohn Baldwin.Nm 70d1e05529SJohn Baldwincan operate in different modes. 71d1e05529SJohn BaldwinA given socket may use different modes for transmit and receive, 72d1e05529SJohn Baldwinor a socket may only offload a single direction. 73d1e05529SJohn BaldwinThe available modes are: 74d1e05529SJohn Baldwin.Bl -tag -width "Dv TCP_TLS_MODE_IFNET" 75d1e05529SJohn Baldwin.It Dv TCP_TLS_MODE_NONE 76d1e05529SJohn Baldwin.Nm 77d1e05529SJohn Baldwinis not enabled. 78d1e05529SJohn Baldwin.It Dv TCP_TLS_MODE_SW 79d1e05529SJohn BaldwinTLS records are encrypted or decrypted in the kernel in the socket 80d1e05529SJohn Baldwinlayer. 813413f262SJohn BaldwinTypically the encryption or decryption is performed in software, 82d1e05529SJohn Baldwinbut it may also be performed by co-processors via 83d1e05529SJohn Baldwin.Xr crypto 9 . 84d1e05529SJohn Baldwin.It Dv TCP_TLS_MODE_IFNET 85d1e05529SJohn BaldwinTLS records are encrypted or decrypted by the network interface card (NIC). 86d1e05529SJohn BaldwinIn this mode, the network stack does not work with encrypted data. 873413f262SJohn BaldwinInstead, the NIC encrypts TLS records as they are being transmitted, 88d1e05529SJohn Baldwinor decrypts received TLS records before providing them to the host. 89d1e05529SJohn Baldwin.Pp 90d1e05529SJohn BaldwinNetwork interfaces which support this feature will advertise the 91d1e05529SJohn Baldwin.Dv TXTLS4 92d1e05529SJohn Baldwin(for IPv4) 93d1e05529SJohn Baldwinand/or 94d1e05529SJohn Baldwin.Dv TXTLS6 95d1e05529SJohn Baldwin(for IPv6) 96d1e05529SJohn Baldwincapabilities as reported by 97d1e05529SJohn Baldwin.Xr ifconfig 8 . 98d1e05529SJohn BaldwinThese capabilities can also be controlled by 99d1e05529SJohn Baldwin.Xr ifconfig 8 . 100d1e05529SJohn Baldwin.Pp 101d1e05529SJohn BaldwinIf a network interface supports rate limiting 102d1e05529SJohn Baldwin(also known as packet pacing) for TLS offload, 103d1e05529SJohn Baldwinthe interface will advertise the 104d1e05529SJohn Baldwin.Dv TXTLS_RTLMT 105d1e05529SJohn Baldwincapability. 106d1e05529SJohn Baldwin.It Dv TCP_TLS_MODE_TOE 107d1e05529SJohn BaldwinTLS records are encrypted by the NIC using a TCP offload engine (TOE). 108d1e05529SJohn BaldwinThis is similar to 109d1e05529SJohn Baldwin.Dv TCP_TLS_MODE_IFNET 110d1e05529SJohn Baldwinin that the network stack does not work with encrypted data. 111d1e05529SJohn BaldwinHowever, this mode works in tandem with a TOE to handle interactions 112d1e05529SJohn Baldwinbetween TCP and TLS. 113d1e05529SJohn Baldwin.El 114d1e05529SJohn Baldwin.Ss Transmit 115d1e05529SJohn BaldwinOnce TLS transmit is enabled by a successful set of the 116d1e05529SJohn Baldwin.Dv TCP_TXTLS_ENABLE 117d1e05529SJohn Baldwinsocket option, 118d1e05529SJohn Baldwinall data written on the socket is stored in TLS records and encrypted. 119d1e05529SJohn BaldwinMost data is transmitted in application layer TLS records, 120d1e05529SJohn Baldwinand the kernel chooses how to partition data among TLS records. 121d1e05529SJohn BaldwinIndividual TLS records with a fixed length and record type can be sent 122d1e05529SJohn Baldwinby 123d1e05529SJohn Baldwin.Xr sendmsg 2 124d1e05529SJohn Baldwinwith the TLS record type set in a 125d1e05529SJohn Baldwin.Dv TLS_SET_RECORD_TYPE 126d1e05529SJohn Baldwincontrol message. 127d1e05529SJohn BaldwinThe payload of this control message is a single byte holding the desired 128d1e05529SJohn BaldwinTLS record type. 129d1e05529SJohn BaldwinThis can be used to send TLS records with a type other than 130d1e05529SJohn Baldwinapplication data (for example, handshake messages) or to send 131d1e05529SJohn Baldwinapplication data records with specific contents (for example, empty 132d1e05529SJohn Baldwinfragments). 133d1e05529SJohn Baldwin.Pp 134d1e05529SJohn BaldwinTLS transmit requires the use of unmapped mbufs. 135d1e05529SJohn BaldwinUnmapped mbufs are not enabled by default, but can be enabled by 136d1e05529SJohn Baldwinsetting the 137d1e05529SJohn Baldwin.Va kern.ipc.mb_use_ext_pgs 138d1e05529SJohn Baldwinsysctl node to 1. 139d1e05529SJohn Baldwin.Pp 140d1e05529SJohn BaldwinThe current TLS transmit mode of a socket can be queried via the 141d1e05529SJohn Baldwin.Dv TCP_TXTLS_MODE 142d1e05529SJohn Baldwinsocket option. 143d1e05529SJohn BaldwinA socket using TLS transmit offload can also set the 144d1e05529SJohn Baldwin.Dv TCP_TXTLS_MODE 145d1e05529SJohn Baldwinsocket option to toggle between 146d1e05529SJohn Baldwin.Dv TCP_TLS_MODE_SW 147d1e05529SJohn Baldwinand 148d1e05529SJohn Baldwin.Dv TCP_TLS_MODE_IFNET . 149d1e05529SJohn Baldwin.Ss Receive 150d1e05529SJohn BaldwinOnce TLS receive is enabled by a successful set of the 151d1e05529SJohn Baldwin.Dv TCP_RXTLS_ENABLE 152d1e05529SJohn Baldwinsocket option, 153d1e05529SJohn Baldwinall data read from the socket is returned as decrypted TLS records. 154d1e05529SJohn BaldwinEach received TLS record must be read from the socket using 155d1e05529SJohn Baldwin.Xr recvmsg 2 . 156d1e05529SJohn BaldwinEach received TLS record will contain a 157d1e05529SJohn Baldwin.Dv TLS_GET_RECORD 158d1e05529SJohn Baldwincontrol message along with the decrypted payload. 159d1e05529SJohn BaldwinThe control message contains a 160d1e05529SJohn Baldwin.Vt struct tls_get_record 161d1e05529SJohn Baldwinwhich includes fields from the TLS record header. 162d1e05529SJohn BaldwinIf an invalid or corrupted TLS record is received, 163fd112705SJohn-Mark Gurney.Xr recvmsg 2 164d1e05529SJohn Baldwinwill fail with one of the following errors: 165d1e05529SJohn Baldwin.Bl -tag -width Er 166d1e05529SJohn Baldwin.It Bq Er EINVAL 167d1e05529SJohn BaldwinThe version fields in a TLS record's header did not match the version required 168d1e05529SJohn Baldwinby the 169*c5a36562SJohn Baldwin.Vt struct tls_enable 170d1e05529SJohn Baldwinstructure used to enable in-kernel TLS. 171d1e05529SJohn Baldwin.It Bq Er EMSGSIZE 172d1e05529SJohn BaldwinA TLS record's length was either too small or too large. 173d1e05529SJohn Baldwin.It Bq Er EMSGSIZE 174d1e05529SJohn BaldwinThe connection was closed after sending a truncated TLS record. 175d1e05529SJohn Baldwin.It Bq Er EBADMSG 176d1e05529SJohn BaldwinThe TLS record failed to match the included authentication tag. 177d1e05529SJohn Baldwin.El 178d1e05529SJohn Baldwin.Pp 179d1e05529SJohn BaldwinThe current TLS receive mode of a socket can be queried via the 180d1e05529SJohn Baldwin.Dv TCP_RXTLS_MODE 181d1e05529SJohn Baldwinsocket option. 182d1e05529SJohn BaldwinAt present, 183d1e05529SJohn Baldwinthe mode cannot be changed. 184d1e05529SJohn Baldwin.Ss Sysctl Nodes 185d1e05529SJohn Baldwin.Nm 186d1e05529SJohn Baldwinuses several sysctl nodes under the 187d1e05529SJohn Baldwin.Va kern.ipc.tls 188d1e05529SJohn Baldwinnode. 189d1e05529SJohn BaldwinA few of them are described below: 190d1e05529SJohn Baldwin.Bl -tag -width ".Va kern.ipc.tls.cbc_enable" 191d1e05529SJohn Baldwin.It Va kern.ipc.tls.enable 192d1e05529SJohn BaldwinDetermines if new kernel TLS sessions can be created. 193d1e05529SJohn Baldwin.It Va kern.ipc.tls.cbc_enable 194d1e05529SJohn BaldwinDetermines if new kernel TLS sessions with a cipher suite using AES-CBC 195d1e05529SJohn Baldwincan be created. 196d1e05529SJohn Baldwin.It Va kern.ipc.tls.sw 197d1e05529SJohn BaldwinA tree of nodes containing statistics for TLS sessions using 198d1e05529SJohn Baldwin.Dv TCP_TLS_MODE_SW . 199d1e05529SJohn Baldwin.It Va kern.ipc.tls.ifnet 200d1e05529SJohn BaldwinA tree of nodes containing statistics for TLS sessions using 201d1e05529SJohn Baldwin.Dv TCP_TLS_MODE_IFNET . 202d1e05529SJohn Baldwin.It Va kern.ipc.tls.toe 203d1e05529SJohn BaldwinA tree of nodes containing statistics for TLS sessions using 204d1e05529SJohn Baldwin.Dv TCP_TLS_MODE_TOE . 205d1e05529SJohn Baldwin.It Va kern.ipc.tls.stats 206d1e05529SJohn BaldwinA tree of nodes containing various kernel TLS statistics. 207d1e05529SJohn Baldwin.El 208d1e05529SJohn Baldwin.Ss Backends 209d1e05529SJohn BaldwinThe base system includes a software backend for the 210d1e05529SJohn Baldwin.Dv TCP_TLS_MODE_SW 211d1e05529SJohn Baldwinmode which uses 212d1e05529SJohn Baldwin.Xr crypto 9 213d1e05529SJohn Baldwinto encrypt and decrypt TLS records. 214d1e05529SJohn BaldwinThis backend can be enabled by loading the 215d1e05529SJohn Baldwin.Pa ktls_ocf.ko 216d1e05529SJohn Baldwinkernel module. 217d1e05529SJohn Baldwin.Pp 218d1e05529SJohn BaldwinThe 219d1e05529SJohn Baldwin.Xr cxgbe 4 220d1e05529SJohn Baldwinand 221d1e05529SJohn Baldwin.Xr mlx5en 4 222d1e05529SJohn Baldwindrivers include support for the 223d1e05529SJohn Baldwin.Dv TCP_TLS_MODE_IFNET 224d1e05529SJohn Baldwinmode. 225d1e05529SJohn Baldwin.Pp 226d1e05529SJohn BaldwinThe 227d1e05529SJohn Baldwin.Xr cxgbe 4 228d1e05529SJohn Baldwindriver includes support for the 229d1e05529SJohn Baldwin.Dv TCP_TLS_MODE_TOE 230d1e05529SJohn Baldwinmode. 231d1e05529SJohn Baldwin.Ss Supported Libraries 232d1e05529SJohn BaldwinOpenSSL 3.0 and later include support for 233d1e05529SJohn Baldwin.Nm . 234d1e05529SJohn BaldwinThe 235d1e05529SJohn Baldwin.Fa devel/openssl 236d1e05529SJohn Baldwinport may also be built with support for 237d1e05529SJohn Baldwin.Nm 238d1e05529SJohn Baldwinby enabling the 239d1e05529SJohn Baldwin.Dv KTLS 240d1e05529SJohn Baldwinoption. 2416c34d8ceSGordon BerglingOpenSSL in the base system includes KTLS support when built with 2426c34d8ceSGordon Bergling.Dv WITH_OPENSSL_KTLS . 243d1e05529SJohn Baldwin.Pp 244d1e05529SJohn BaldwinApplications using a supported library should generally work with 245d1e05529SJohn Baldwin.Nm 246d1e05529SJohn Baldwinwithout any changes provided they use standard interfaces such as 247d1e05529SJohn Baldwin.Xr SSL_read 3 248d1e05529SJohn Baldwinand 249d1e05529SJohn Baldwin.Xr SSL_write 3 . 250d1e05529SJohn BaldwinAdditional performance may be gained by the use of 251d1e05529SJohn Baldwin.Xr SSL_sendfile 3 . 252d1e05529SJohn Baldwin.Sh IMPLEMENTATION NOTES 253d1e05529SJohn Baldwin.Nm 254d1e05529SJohn Baldwinassumes the presence of a direct map of physical memory when performing 255d1e05529SJohn Baldwinsoftware encryption and decryption. 256d1e05529SJohn BaldwinAs a result, it is only supported on architectures with a direct map. 257d1e05529SJohn Baldwin.Sh SEE ALSO 258d1e05529SJohn Baldwin.Xr cxgbe 4 , 259d1e05529SJohn Baldwin.Xr mlx5en 4 , 260d1e05529SJohn Baldwin.Xr tcp 4 , 2616c34d8ceSGordon Bergling.Xr src.conf 5 , 262d1e05529SJohn Baldwin.Xr ifconfig 8 , 263d1e05529SJohn Baldwin.Xr sysctl 8 , 264d1e05529SJohn Baldwin.Xr crypto 9 265d1e05529SJohn Baldwin.Sh HISTORY 266d1e05529SJohn BaldwinKernel TLS first appeared in 267d1e05529SJohn Baldwin.Fx 13.0 . 268