Revision as of 09:03, 23 August 2022

Comments and Explanations
The page source contains comments providing guidance to fill out each section. They are invisible when viewing this page. To read it, choose the "view source" link.
Copy the source to a new page before making changes! DO NOT EDIT THIS TEMPLATE FOR YOUR CHANGE PROPOSAL.

Guidance
For details on how to fill out this form, see the documentation.

KTLS implementation for GnuTLS

This is a proposed Change for Fedora Linux.
This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee.

Summary

Acceleration of GnuTLS with software Kernel TLS (KTLS)

Owner

Name: František Krenželok, Daiki Ueno
Email: fkrenzel@redhat.com, dueno@redhat.com

Current status

Targeted release: Fedora Linux 38
Last updated: 2022-08-23
FESCo issue: <will be assigned by the Wrangler>
Tracker bug: <will be assigned by the Wrangler>
Release notes tracker: <will be assigned by the Wrangler>

Detailed Description

The goal of this change is to provide GnuTLS users with a high throughput data transfer mechanism on encrypted channels, with emphasis on network block devices (NBD).

We accomplish this with KTLS which offloads enc/decryption (TLS record) to the kernel, while GnuTLS handles initial connection (TLS handshake). This approach saves us from frequent context switching as well as data copies in userspace when using send_file() function.

Feedback

Benefit to Fedora

The improvement lies in acceleration of large data transfers trough encrypted channels. The send_file function enables us to send data directly trough socket without entering user space, saving us from 2 context switches and 2 additional user space buffers. This is especially useful for NBD

Benefits

Acceleration of live VM migration, which should mitigate the downtime for various services used by both the users and the developers.

Increased speed at which files can be retrieved from NBD via encrypted channel and less CPU and memory strain on NBD server.

packages that might benefit: nbd nbdkit qemu

Scope

Proposal owners:

Support for KTLS key update in GnuTLS track: gitlab

Other developers:

Support for TLS1.3 key update in KTLS module

Release engineering: #Releng issue number

Policies and guidelines: N/A (not needed for this Change)

Trademark approval: N/A (not needed for this Change)

Alignment with Objectives:

Upgrade/compatibility impact

Although this feature will be enabled by default, users will not notice any change, as in case of failure to initialize KTLS, GnuTLS will fallback to the currently used mode of operation.

Users will be also provided with means to disable this feature trough crypto-policies

How To Test

To enable this feature user has to:

load TLS kernel module (modprobe tls)
enable ktls with crypto policies

Once proposal accepted
KTLS will be enabled by default and this step will not be needed.

$ cat > /etc/crypto-policies/local.d/gnutls-ktls.config <<EOF
[global]
ktls = true
EOF

$ update-crypto-policies

KTLS will not initialize if app uses custom push/pull callback for GnuTLS.

User Experience

This change should accelerate large data transfers especially that of files. This will affect users that use applications which utilize GnuTLS for encrypting communication channels.

Dependencies

Currently KTLS doesn't support key_update (The keys delivered to the kernel can’t be set more than once per session) so a kernel module patch would be needed for this functionality.

Contingency Plan

Contingency mechanism: (What to do? Who will do it?) N/A (not a System Wide Change)
Contingency deadline: N/A (not a System Wide Change)
Blocks release? N/A (not a System Wide Change), Yes/No

Documentation

API

gnutls_transport_is_ktls_enabled() To check if KTLS was properly initialized on the interfaces:

it has to be invoked no earlier that after a TLS-handshake

 gnutls_transport_ktls_enable_flags_t gnutls_transport_is_ktls_enabled(gnutls_session_t session);

gnutls_record_send_file() To send data directly from a file descriptor in a zero-copy manner if KTLS is enabled; otherwise it will just iteratively read from the file descriptor:

 ssize_t gnutls_record_send_file(gnutls_session_t session, int fd, off_t *offset, size_t count);

N/A (not a System Wide Change)

Release Notes

@@ Line 10: / Line 10: @@
 == Summary ==
-<!-- A sentence or two summarizing what this change is and what it will do. This information is used for the overall changeset summary page for each release. Note that motivation for the change should be in the Benefit to Fedora section below, and this part should answer the question "What?" rather than "Why?". -->
 Acceleration of GnuTLS with software ''Kernel TLS'' (KTLS)
 == Owner ==
-<!--
-For change proposals to qualify as self-contained, owners of all affected packages need to be included here. Alternatively, a SIG can be listed as an owner if it owns all affected packages.
-This should link to your home wiki page so we know who you are.
--->
 * Name: [[User:Fkrenzel| František Krenželok]], [[User:Ueno| Daiki Ueno]]
-<!-- Include you email address that you can be reached should people want to contact you about helping with your change, status is requested, or technical issues need to be resolved. If the change proposal is owned by a SIG, please also add a primary contact person. -->
 * Email: fkrenzel@redhat.com, dueno@redhat.com
 <!--- UNCOMMENT only for Changes with assigned Shepherd (by FESCo)
@@ Line 57: / Line 51: @@
 == Benefit to Fedora ==
-The improvement lies in acceleration of large data transfer trough encrypted channels.
+The improvement lies in acceleration of large data transfers trough encrypted channels.
-The send_file function enables us to send data directly trough socket without entering user space, saving us from 2 context switches and 2 additional buffers. This is especially useful for NBD
+The send_file function enables us to send data directly trough socket without entering user space, saving us from 2 context switches and 2 additional user space buffers. This is especially useful for NBD
+'''Benefits'''
+* Acceleration of ''live VM migration'', which should mitigate the downtime for various services used by both the users and the developers.
-One of the benefits might be acceleration of ''live VM migration'', which should mitigate the downtime for various services used by both the users and the developers.
+* Increased speed at which files can be retrieved from NBD via encrypted channel and less CPU and memory strain on NBD server.
 packages that might benefit: {{package|nbd}} {{package|nbdkit}} {{package|qemu}}
@@ Line 67: / Line 64: @@
 * Proposal owners:
 <!-- What work do the feature owners have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->
+Support for KTLS key update in GnuTLS ''track'': [https://gitlab.com/gnutls/gnutls/-/merge_requests/1625 gitlab]
 * Other developers: <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
 <!-- What work do other developers have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->
+Support for TLS1.3 key update in KTLS module
 * Release engineering: [https://pagure.io/releng/issues #Releng issue number] <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->

Search

Changes/KTLSSupportForGnuTLS: Difference between revisions