xref: /freebsd/share/man/man4/ktls.4 (revision fd11270509f26e9ebde11ef7d3c3c34497f29124)
1d1e05529SJohn Baldwin.\" Copyright (c) 2020, Chelsio Inc
2d1e05529SJohn Baldwin.\" All rights reserved.
3d1e05529SJohn Baldwin.\"
4d1e05529SJohn Baldwin.\" Redistribution and use in source and binary forms, with or without
5d1e05529SJohn Baldwin.\" modification, are permitted provided that the following conditions are met:
6d1e05529SJohn Baldwin.\"
7d1e05529SJohn Baldwin.\" 1. Redistributions of source code must retain the above copyright notice,
8d1e05529SJohn Baldwin.\"    this list of conditions and the following disclaimer.
9d1e05529SJohn Baldwin.\"
10d1e05529SJohn Baldwin.\" 2. Redistributions in binary form must reproduce the above copyright
11d1e05529SJohn Baldwin.\"    notice, this list of conditions and the following disclaimer in the
12d1e05529SJohn Baldwin.\"    documentation and/or other materials provided with the distribution.
13d1e05529SJohn Baldwin.\"
14d1e05529SJohn Baldwin.\" 3. Neither the name of the Chelsio Inc nor the names of its
15d1e05529SJohn Baldwin.\"    contributors may be used to endorse or promote products derived from
16d1e05529SJohn Baldwin.\"    this software without specific prior written permission.
17d1e05529SJohn Baldwin.\"
18d1e05529SJohn Baldwin.\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
19d1e05529SJohn Baldwin.\" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
20d1e05529SJohn Baldwin.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
21d1e05529SJohn Baldwin.\" ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
22d1e05529SJohn Baldwin.\" LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
23d1e05529SJohn Baldwin.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
24d1e05529SJohn Baldwin.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
25d1e05529SJohn Baldwin.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
26d1e05529SJohn Baldwin.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
27d1e05529SJohn Baldwin.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
28d1e05529SJohn Baldwin.\" POSSIBILITY OF SUCH DAMAGE.
29d1e05529SJohn Baldwin.\"
30d1e05529SJohn Baldwin.\" * Other names and brands may be claimed as the property of others.
31d1e05529SJohn Baldwin.\"
32d1e05529SJohn Baldwin.\" $FreeBSD$
33d1e05529SJohn Baldwin.\"
343413f262SJohn Baldwin.Dd December 1, 2020
35d1e05529SJohn Baldwin.Dt KTLS 4
36d1e05529SJohn Baldwin.Os
37d1e05529SJohn Baldwin.Sh NAME
38d1e05529SJohn Baldwin.Nm ktls
39d1e05529SJohn Baldwin.Nd kernel Transport Layer Security
40d1e05529SJohn Baldwin.Sh SYNOPSIS
41d1e05529SJohn Baldwin.Cd options KERN_TLS
42d1e05529SJohn Baldwin.Sh DESCRIPTION
43d1e05529SJohn BaldwinThe
44d1e05529SJohn Baldwin.Nm
45d1e05529SJohn Baldwinfacility allows the kernel to perform Transport Layer Security (TLS)
46d1e05529SJohn Baldwinframing on TCP sockets.
47d1e05529SJohn BaldwinWith
48d1e05529SJohn Baldwin.Nm ,
49d1e05529SJohn Baldwinthe initial handshake for a socket using TLS is performed in userland.
50d1e05529SJohn BaldwinOnce the session keys are negotiated,
51d1e05529SJohn Baldwinthey are provided to the kernel via the
52d1e05529SJohn Baldwin.Dv TCP_TXTLS_ENABLE
53d1e05529SJohn Baldwinand
54d1e05529SJohn Baldwin.Dv TCP_RXTLS_ENABLE
55d1e05529SJohn Baldwinsocket options.
56d1e05529SJohn BaldwinBoth socket options accept a
57d1e05529SJohn Baldwin.Vt struct tls_so_enable
58d1e05529SJohn Baldwinstructure as their argument.
59d1e05529SJohn BaldwinThe members of this structure describe the cipher suite used for the
60d1e05529SJohn BaldwinTLS session and provide the session keys used for the respective
61d1e05529SJohn Baldwindirection.
62d1e05529SJohn Baldwin.Pp
63d1e05529SJohn Baldwin.Nm
64d1e05529SJohn Baldwinonly permits the session keys to be set once in each direction.
65d1e05529SJohn BaldwinAs a result,
66d1e05529SJohn Baldwinapplications must disable rekeying when using
67d1e05529SJohn Baldwin.Nm .
68d1e05529SJohn Baldwin.Ss Modes
69d1e05529SJohn Baldwin.Nm
70d1e05529SJohn Baldwincan operate in different modes.
71d1e05529SJohn BaldwinA given socket may use different modes for transmit and receive,
72d1e05529SJohn Baldwinor a socket may only offload a single direction.
73d1e05529SJohn BaldwinThe available modes are:
74d1e05529SJohn Baldwin.Bl -tag -width "Dv TCP_TLS_MODE_IFNET"
75d1e05529SJohn Baldwin.It Dv TCP_TLS_MODE_NONE
76d1e05529SJohn Baldwin.Nm
77d1e05529SJohn Baldwinis not enabled.
78d1e05529SJohn Baldwin.It Dv TCP_TLS_MODE_SW
79d1e05529SJohn BaldwinTLS records are encrypted or decrypted in the kernel in the socket
80d1e05529SJohn Baldwinlayer.
813413f262SJohn BaldwinTypically the encryption or decryption is performed in software,
82d1e05529SJohn Baldwinbut it may also be performed by co-processors via
83d1e05529SJohn Baldwin.Xr crypto 9 .
84d1e05529SJohn Baldwin.It Dv TCP_TLS_MODE_IFNET
85d1e05529SJohn BaldwinTLS records are encrypted or decrypted by the network interface card (NIC).
86d1e05529SJohn BaldwinIn this mode, the network stack does not work with encrypted data.
873413f262SJohn BaldwinInstead, the NIC encrypts TLS records as they are being transmitted,
88d1e05529SJohn Baldwinor decrypts received TLS records before providing them to the host.
89d1e05529SJohn Baldwin.Pp
90d1e05529SJohn BaldwinNetwork interfaces which support this feature will advertise the
91d1e05529SJohn Baldwin.Dv TXTLS4
92d1e05529SJohn Baldwin(for IPv4)
93d1e05529SJohn Baldwinand/or
94d1e05529SJohn Baldwin.Dv TXTLS6
95d1e05529SJohn Baldwin(for IPv6)
96d1e05529SJohn Baldwincapabilities as reported by
97d1e05529SJohn Baldwin.Xr ifconfig 8 .
98d1e05529SJohn BaldwinThese capabilities can also be controlled by
99d1e05529SJohn Baldwin.Xr ifconfig 8 .
100d1e05529SJohn Baldwin.Pp
101d1e05529SJohn BaldwinIf a network interface supports rate limiting
102d1e05529SJohn Baldwin(also known as packet pacing) for TLS offload,
103d1e05529SJohn Baldwinthe interface will advertise the
104d1e05529SJohn Baldwin.Dv TXTLS_RTLMT
105d1e05529SJohn Baldwincapability.
106d1e05529SJohn Baldwin.It Dv TCP_TLS_MODE_TOE
107d1e05529SJohn BaldwinTLS records are encrypted by the NIC using a TCP offload engine (TOE).
108d1e05529SJohn BaldwinThis is similar to
109d1e05529SJohn Baldwin.Dv TCP_TLS_MODE_IFNET
110d1e05529SJohn Baldwinin that the network stack does not work with encrypted data.
111d1e05529SJohn BaldwinHowever, this mode works in tandem with a TOE to handle interactions
112d1e05529SJohn Baldwinbetween TCP and TLS.
113d1e05529SJohn Baldwin.El
114d1e05529SJohn Baldwin.Ss Transmit
115d1e05529SJohn BaldwinOnce TLS transmit is enabled by a successful set of the
116d1e05529SJohn Baldwin.Dv TCP_TXTLS_ENABLE
117d1e05529SJohn Baldwinsocket option,
118d1e05529SJohn Baldwinall data written on the socket is stored in TLS records and encrypted.
119d1e05529SJohn BaldwinMost data is transmitted in application layer TLS records,
120d1e05529SJohn Baldwinand the kernel chooses how to partition data among TLS records.
121d1e05529SJohn BaldwinIndividual TLS records with a fixed length and record type can be sent
122d1e05529SJohn Baldwinby
123d1e05529SJohn Baldwin.Xr sendmsg 2
124d1e05529SJohn Baldwinwith the TLS record type set in a
125d1e05529SJohn Baldwin.Dv TLS_SET_RECORD_TYPE
126d1e05529SJohn Baldwincontrol message.
127d1e05529SJohn BaldwinThe payload of this control message is a single byte holding the desired
128d1e05529SJohn BaldwinTLS record type.
129d1e05529SJohn BaldwinThis can be used to send TLS records with a type other than
130d1e05529SJohn Baldwinapplication data (for example, handshake messages) or to send
131d1e05529SJohn Baldwinapplication data records with specific contents (for example, empty
132d1e05529SJohn Baldwinfragments).
133d1e05529SJohn Baldwin.Pp
134d1e05529SJohn BaldwinTLS transmit requires the use of unmapped mbufs.
135d1e05529SJohn BaldwinUnmapped mbufs are not enabled by default, but can be enabled by
136d1e05529SJohn Baldwinsetting the
137d1e05529SJohn Baldwin.Va kern.ipc.mb_use_ext_pgs
138d1e05529SJohn Baldwinsysctl node to 1.
139d1e05529SJohn Baldwin.Pp
140d1e05529SJohn BaldwinThe current TLS transmit mode of a socket can be queried via the
141d1e05529SJohn Baldwin.Dv TCP_TXTLS_MODE
142d1e05529SJohn Baldwinsocket option.
143d1e05529SJohn BaldwinA socket using TLS transmit offload can also set the
144d1e05529SJohn Baldwin.Dv TCP_TXTLS_MODE
145d1e05529SJohn Baldwinsocket option to toggle between
146d1e05529SJohn Baldwin.Dv TCP_TLS_MODE_SW
147d1e05529SJohn Baldwinand
148d1e05529SJohn Baldwin.Dv TCP_TLS_MODE_IFNET .
149d1e05529SJohn Baldwin.Ss Receive
150d1e05529SJohn BaldwinOnce TLS receive is enabled by a successful set of the
151d1e05529SJohn Baldwin.Dv TCP_RXTLS_ENABLE
152d1e05529SJohn Baldwinsocket option,
153d1e05529SJohn Baldwinall data read from the socket is returned as decrypted TLS records.
154d1e05529SJohn BaldwinEach received TLS record must be read from the socket using
155d1e05529SJohn Baldwin.Xr recvmsg 2 .
156d1e05529SJohn BaldwinEach received TLS record will contain a
157d1e05529SJohn Baldwin.Dv TLS_GET_RECORD
158d1e05529SJohn Baldwincontrol message along with the decrypted payload.
159d1e05529SJohn BaldwinThe control message contains a
160d1e05529SJohn Baldwin.Vt struct tls_get_record
161d1e05529SJohn Baldwinwhich includes fields from the TLS record header.
162d1e05529SJohn BaldwinIf an invalid or corrupted TLS record is received,
163*fd112705SJohn-Mark Gurney.Xr recvmsg 2
164d1e05529SJohn Baldwinwill fail with one of the following errors:
165d1e05529SJohn Baldwin.Bl -tag -width Er
166d1e05529SJohn Baldwin.It Bq Er EINVAL
167d1e05529SJohn BaldwinThe version fields in a TLS record's header did not match the version required
168d1e05529SJohn Baldwinby the
169d1e05529SJohn Baldwin.Vt struct tls_so_enable
170d1e05529SJohn Baldwinstructure used to enable in-kernel TLS.
171d1e05529SJohn Baldwin.It Bq Er EMSGSIZE
172d1e05529SJohn BaldwinA TLS record's length was either too small or too large.
173d1e05529SJohn Baldwin.It Bq Er EMSGSIZE
174d1e05529SJohn BaldwinThe connection was closed after sending a truncated TLS record.
175d1e05529SJohn Baldwin.It Bq Er EBADMSG
176d1e05529SJohn BaldwinThe TLS record failed to match the included authentication tag.
177d1e05529SJohn Baldwin.El
178d1e05529SJohn Baldwin.Pp
179d1e05529SJohn BaldwinThe current TLS receive mode of a socket can be queried via the
180d1e05529SJohn Baldwin.Dv TCP_RXTLS_MODE
181d1e05529SJohn Baldwinsocket option.
182d1e05529SJohn BaldwinAt present,
183d1e05529SJohn Baldwinthe mode cannot be changed.
184d1e05529SJohn Baldwin.Ss Sysctl Nodes
185d1e05529SJohn Baldwin.Nm
186d1e05529SJohn Baldwinuses several sysctl nodes under the
187d1e05529SJohn Baldwin.Va kern.ipc.tls
188d1e05529SJohn Baldwinnode.
189d1e05529SJohn BaldwinA few of them are described below:
190d1e05529SJohn Baldwin.Bl -tag -width ".Va kern.ipc.tls.cbc_enable"
191d1e05529SJohn Baldwin.It Va kern.ipc.tls.enable
192d1e05529SJohn BaldwinDetermines if new kernel TLS sessions can be created.
193d1e05529SJohn Baldwin.It Va kern.ipc.tls.cbc_enable
194d1e05529SJohn BaldwinDetermines if new kernel TLS sessions with a cipher suite using AES-CBC
195d1e05529SJohn Baldwincan be created.
196d1e05529SJohn Baldwin.It Va kern.ipc.tls.sw
197d1e05529SJohn BaldwinA tree of nodes containing statistics for TLS sessions using
198d1e05529SJohn Baldwin.Dv TCP_TLS_MODE_SW .
199d1e05529SJohn Baldwin.It Va kern.ipc.tls.ifnet
200d1e05529SJohn BaldwinA tree of nodes containing statistics for TLS sessions using
201d1e05529SJohn Baldwin.Dv TCP_TLS_MODE_IFNET .
202d1e05529SJohn Baldwin.It Va kern.ipc.tls.toe
203d1e05529SJohn BaldwinA tree of nodes containing statistics for TLS sessions using
204d1e05529SJohn Baldwin.Dv TCP_TLS_MODE_TOE .
205d1e05529SJohn Baldwin.It Va kern.ipc.tls.stats
206d1e05529SJohn BaldwinA tree of nodes containing various kernel TLS statistics.
207d1e05529SJohn Baldwin.El
208d1e05529SJohn Baldwin.Ss Backends
209d1e05529SJohn BaldwinThe base system includes a software backend for the
210d1e05529SJohn Baldwin.Dv TCP_TLS_MODE_SW
211d1e05529SJohn Baldwinmode which uses
212d1e05529SJohn Baldwin.Xr crypto 9
213d1e05529SJohn Baldwinto encrypt and decrypt TLS records.
214d1e05529SJohn BaldwinThis backend can be enabled by loading the
215d1e05529SJohn Baldwin.Pa ktls_ocf.ko
216d1e05529SJohn Baldwinkernel module.
217d1e05529SJohn Baldwin.Pp
218d1e05529SJohn BaldwinThe
219d1e05529SJohn Baldwin.Xr cxgbe 4
220d1e05529SJohn Baldwinand
221d1e05529SJohn Baldwin.Xr mlx5en 4
222d1e05529SJohn Baldwindrivers include support for the
223d1e05529SJohn Baldwin.Dv TCP_TLS_MODE_IFNET
224d1e05529SJohn Baldwinmode.
225d1e05529SJohn Baldwin.Pp
226d1e05529SJohn BaldwinThe
227d1e05529SJohn Baldwin.Xr cxgbe 4
228d1e05529SJohn Baldwindriver includes support for the
229d1e05529SJohn Baldwin.Dv TCP_TLS_MODE_TOE
230d1e05529SJohn Baldwinmode.
231d1e05529SJohn Baldwin.Ss Supported Libraries
232d1e05529SJohn BaldwinOpenSSL 3.0 and later include support for
233d1e05529SJohn Baldwin.Nm .
234d1e05529SJohn BaldwinThe
235d1e05529SJohn Baldwin.Fa devel/openssl
236d1e05529SJohn Baldwinport may also be built with support for
237d1e05529SJohn Baldwin.Nm
238d1e05529SJohn Baldwinby enabling the
239d1e05529SJohn Baldwin.Dv KTLS
240d1e05529SJohn Baldwinoption .
241d1e05529SJohn Baldwin.Pp
242d1e05529SJohn BaldwinApplications using a supported library should generally work with
243d1e05529SJohn Baldwin.Nm
244d1e05529SJohn Baldwinwithout any changes provided they use standard interfaces such as
245d1e05529SJohn Baldwin.Xr SSL_read 3
246d1e05529SJohn Baldwinand
247d1e05529SJohn Baldwin.Xr SSL_write 3 .
248d1e05529SJohn BaldwinAdditional performance may be gained by the use of
249d1e05529SJohn Baldwin.Xr SSL_sendfile 3 .
250d1e05529SJohn Baldwin.Sh IMPLEMENTATION NOTES
251d1e05529SJohn Baldwin.Nm
252d1e05529SJohn Baldwinassumes the presence of a direct map of physical memory when performing
253d1e05529SJohn Baldwinsoftware encryption and decryption.
254d1e05529SJohn BaldwinAs a result, it is only supported on architectures with a direct map.
255d1e05529SJohn Baldwin.Sh SEE ALSO
256d1e05529SJohn Baldwin.Xr cxgbe 4 ,
257d1e05529SJohn Baldwin.Xr mlx5en 4 ,
258d1e05529SJohn Baldwin.Xr tcp 4 ,
259d1e05529SJohn Baldwin.Xr ifconfig 8 ,
260d1e05529SJohn Baldwin.Xr sysctl 8 ,
261d1e05529SJohn Baldwin.Xr crypto 9
262d1e05529SJohn Baldwin.Sh HISTORY
263d1e05529SJohn BaldwinKernel TLS first appeared in
264d1e05529SJohn Baldwin.Fx 13.0 .
265