Netflix kernel TLS
Drew Gallatin
gallatin at netflix.com
Thu Feb 22 18:12:44 UTC 2018
As discussed in the meeting today, I have backported our kernel TLS to an
upstream kernel and made it available for comment. See the nf_ktls branch
of my public github:
https://github.com/gallatin/freebsd/tree/nf_ktls
It is enabled by 'options KERN_TLS"
A few random facts:
- This is transmit only.
- Applications linking to OpenSSL are automatically accelerated, for socket
writes assuming that
a compatible cipher is supported in the kernel.
- It adds a new OpenSSL API entry point, SSL_sendfile(), which is self
explanatory.
You can see example usage in our patch to nginx, at
https://people.freebsd.org/~gallatin/nginx_ssl_sendfile.diff
- It has been tested and run only on AMD64. I suspect it will work on any
arch with
a direct map. (eg, PHYS_TO_DMAP, DMAP_TO_PHYS)
- It requires my vectorized unmapped mbufs (present in that branch). Note
that my vectorized mbufs should work on any arch, and I've measured
speedups on i386, simply because we avoid mapping sf_bufs.
- It requires a backend crypto module to support the actual encryption. I
totally suck at ports, but I've left a port of intel-isa-l at
https://people.freebsd.org/~gallatin/intel-isa-aes-kmod.txz
Best regards,
Drew
More information about the freebsd-transport
mailing list