TLS in the kernel
An RFC patch from Dave Watson at Facebook proposes moving the bulk of Transport Layer Security (TLS) processing into the kernel. There are a number of advantages he sees for doing so, but most of the commenters on the patch set seem a bit skeptical about the idea. TLS is, of course, the encryption layer that protects HTTPS and other internet protocols.
The patch set implements RFC 5288 encryption for TLS, which is based on the 128-bit advanced encryption standard (AES) using Galois counter mode (GCM)—also known as "gcm(aes)". That accounts for roughly 80% of the TLS connections that Facebook sees, Watson said. The idea is for the kernel to handle the symmetric encryption and decryption, while leaving the handshake processing to user space. The feature uses the user-space API to the kernel's crypto subsystem, which is accessed via sockets created using the AF_ALG address family.
The basic idea is that an AF_ALG socket and a regular TCP socket are both created. The TCP socket is used to do the handshake with the remote endpoint, which establishes keys and such. The keys (one each for sending and receiving) are passed to the crypto socket using setsockopt(). An operational socket is also created by making an accept() call on the crypto socket. That socket is used in further processing, including setting the initialization vectors (IVs) using sendmsg() and control messages created using CMSG. There are also two IVs, one for each direction. In addition, the file descriptor for the TCP socket is passed to the operational socket in a control message; the application will then read and write data from the operational socket. Watson pointed to an example C program that uses the new facility.
That approach has a number of benefits, according to Watson. Using some additional code that was not part of his submission, he said the in-kernel TLS showed 2-7% better performance than the equivalent done in user space. The idea was inspired by some work [PDF] that Netflix did on FreeBSD to improve the performance of TLS. In addition, two other features could benefit from having TLS in the kernel, he said. The kernel connection multiplexer (KCM) needs access to unencrypted data in the kernel, which this would provide; offloading TLS encryption and decryption to NICs would also require TLS framing support in the kernel.
But Hannes Frederic Sowa questioned two of those advantages. He believes that the existing facilities provided by Linux already do less copying than those that FreeBSD provides, so he suggested comparing the in-kernel approach with a user-space implementation using mmap() and vmsplice() on the TCP socket. Beyond that, he noted that kernel developers have been strong opponents of TCP-offloading efforts. In order to provide TLS offloading, a NIC would also need to handle the TCP layer, so it would effectively be doing TCP offloading as well.
Crypto maintainer Herbert Xu was a bit surprised at the approach. While he can see that using AF_ALG makes sense as a way to export TLS functionality to user space, it's not the way he might have approached it:
But Watson noted that handling out-of-band (OOB) data is one reason to not just layer TLS on top of a TCP socket. TLS transfers data beyond just the data being sent by the application, for things like alerts or to change the cipher being used, but a TCP socket lacks an easy way to signal the reception of that kind of data. In Watson's patches, the crypto socket returns an error in that situation and user space can then read the OOB data from the TCP socket if it wishes.
But others also questioned the value of having TLS in the kernel at all. Modern processors provide user-space programs with access to accelerated crypto instructions directly, without a need for kernel intervention. There is some crypto-acceleration hardware out there, where there might be some benefit to having TLS in the kernel, but it has mostly fallen by the wayside because of better processor support for crypto. As Sowa put it:
Since processors provide aesni and other crypto extensions as part of their instruction set architecture, this, of course, does not make sense any more.
Overall, it looks like it will take some more convincing arguments before putting TLS in the kernel will be seriously considered. For some specialized situations, it might make sense to do so, but even the limited version Watson posted adds more than 1200 lines of code to the kernel—for dubious gains. Over time, more and more crypto has been added to the kernel, though, so maybe TLS will eventually find its way in too.
| Index entries for this article | |
|---|---|
| Kernel | Networking/Protocols |
| Security | Linux kernel |
| Security | Transport Layer Security (TLS) |
Posted Dec 3, 2015 6:01 UTC (Thu)
by Cyberax (✭ supporter ✭, #52523)
[Link] (13 responses)
Then it could be easily plugged into ANY daemon that can accept socket FDs. Want your wonderful fingerd talk over a secure connection? No problem, just run it under a TLS wrapper.
Also, my another dream is credential separation. I want all private keys to be confined to a super secure process that communicates that simply sends sockets to other system processes once TLS handshake completes.
I have something like this for my toy TLS implementation, but getting to full TLS is complicated.
Posted Dec 3, 2015 10:04 UTC (Thu)
by pbonzini (subscriber, #60935)
[Link]
Posted Dec 3, 2015 11:13 UTC (Thu)
by zdzichu (subscriber, #17118)
[Link] (1 responses)
Posted Dec 3, 2015 18:17 UTC (Thu)
by Cyberax (✭ supporter ✭, #52523)
[Link]
Posted Dec 3, 2015 12:50 UTC (Thu)
by richmoore (guest, #53133)
[Link] (3 responses)
Posted Dec 3, 2015 18:25 UTC (Thu)
by Cyberax (✭ supporter ✭, #52523)
[Link] (2 responses)
Error reporting and ciphersuit selection can very well be done by the "handshaker" process. In fact, it should be done there to make sure cipher preferences are not hard-coded in the application.
And I actually want in-kernel TLS for applications like webservers first.
Posted Sep 5, 2017 10:31 UTC (Tue)
by federico3 (guest, #101963)
[Link] (1 responses)
No, you are oversimplifying the problem. Moving all that complexity into the kernel would also greatly increase the attack surface and make security fixes more difficult to apply.
Posted Sep 5, 2017 18:50 UTC (Tue)
by Cyberax (✭ supporter ✭, #52523)
[Link]
Also, don't exaggerate the complexity of code. TLS is nicely segmented, so the code to read and parse TLS datagrams is not more complicated than a typical in-kernel tunnel protocol.
Posted Dec 3, 2015 16:54 UTC (Thu)
by zokier (guest, #103686)
[Link] (4 responses)
Posted Dec 3, 2015 18:15 UTC (Thu)
by Cyberax (✭ supporter ✭, #52523)
[Link] (3 responses)
Posted Dec 4, 2015 22:45 UTC (Fri)
by eternaleye (guest, #67051)
[Link] (2 responses)
To explain, while TLS is based on authenticated key exchange design principles, in which you perform a key exchange under some proof of identity, Tcpcrypt is based on the idea of anonymous key exchange with channel binding. In that model, you default to a channel which is secure against passive attackers, and by using channel binding can voluntarily authenticate the peer in order to secure it against active attackers.
As a side benefit, authentication becomes an application-level concern, fixing one of the longest-standing mismatches between what TLS provides and what applications need. If you don't believe me, just look at how SRP and client certificates have obsoleted javascript-based password pr- oh wait.
Posted Dec 5, 2015 0:02 UTC (Sat)
by Cyberax (✭ supporter ✭, #52523)
[Link] (1 responses)
They both are secure from passive attacks and insecure from MITM. Securing both protocols requires some sort of a shared info: a shared CA infrastructure or a pre-shared key (yes, TLS actually can use a pre-shared key using TLS-PSK or J-PAKE). Key pinning is one way to establish a pre-shared key (by trusting the first interaction).
Posted Dec 8, 2015 3:03 UTC (Tue)
by eternaleye (guest, #67051)
[Link]
TLS still lacks support for strong channel bindings; it has TLS-unique, but that's broken by Triple Handshake. Until proper token binding (https://tools.ietf.org/html/draft-ietf-tokbind-negotiatio...) is added, TLS cannot support the same authentication flows as tcpcrypt can, where upper-layer authentication (of either or both endpoints) is securely linked to the underlying channel.
Posted Dec 4, 2015 13:11 UTC (Fri)
by paulj (subscriber, #341)
[Link]
Posted Dec 3, 2015 16:44 UTC (Thu)
by Trou.fr (subscriber, #26289)
[Link] (1 responses)
Posted Dec 10, 2015 7:52 UTC (Thu)
by farnz (subscriber, #17727)
[Link]
The patch doesn't put a full TLS parser in the kernel, though. It puts in just enough to handle Application Data records, and leaves the rest of the protocol to userspace.
As it happens, Application Data records are the most common in any high-usage TLS connection, because they're the records that do useful work from an application perspective. Thus, leaving everything else (including Heartbeat records, which were the ones that Heartbleed got wrong) to userspace isn't going to cost much in performance, but is a huge boost in kernel security.
Posted Dec 11, 2015 22:42 UTC (Fri)
by ksandstr (guest, #60862)
[Link]
Like any other proposal where performance gain is central to its claimed benefits, this one doesn't describe how much TLS was reimplemented nor estimates of which portion of the gain comes from the reimplementation's simply being the better horsecart.
For example, with kernel code often comes a restriction of applicability which limits features, therefore making common code paths simpler in terms of the length of the shortest sequence of data-dependent branches. Kernels also tend not to link to huge middleware libraries, giving more opportunities for intramodule call optimization (regparms, inlining, etc.). These two alone could account for 2%; measurement jitter could be another 2%, and after that it's marginal.
Posted Oct 5, 2017 15:15 UTC (Thu)
by arkguy (guest, #118914)
[Link] (2 responses)
Posted Oct 5, 2017 16:24 UTC (Thu)
by arkguy (guest, #118914)
[Link]
Posted Jun 14, 2019 12:57 UTC (Fri)
by mallesh537@gmail.com (guest, #132640)
[Link]
Posted Jul 4, 2022 3:11 UTC (Mon)
by scientes (guest, #83068)
[Link]
1. TLS implementations implemented RFC 7250, raw public keys.
2. TLS didn't require ASN.1 and a bunch of other overly complicated junk.
Like look at WireGuard. It isn't so friggen ugly.
TLS in the kernel
TLS in the kernel
TLS in the kernel
TLS in the kernel
TLS in the kernel
TLS in the kernel
So let the kernel deal with select() complications and everything. It's what it's designed to do, after all.
TLS in the kernel
TLS in the kernel
TLS in the kernel
TLS in the kernel
TLS in the kernel
TLS in the kernel
TLS in the kernel
TLS in the kernel
TLS in the kernel
TLS in the kernel
TLS in the kernel
Example C Program
Unfortunately I have not found any better, so the Documentation/networking/tls.txt seems to be the best start.
Example C Program
Example C Program
TLS in the kernel