Hi all,
nvme-over-tcp has the option to utilize TLS for encrypted traffic, but
due to the internal design of the nvme-over-fabrics stack we cannot
initiate the TLS connection from userspace (as the current in-kernel TLS
implementation is designed).
This leaves us with two options:
1) Put TLS handshake into the kernel (which will be quite some
discussion as it's arguably a userspace configuration)
2) Pass an in-kernel socket to userspace and have a userspace
application to run the TLS handshake.
None of these options are quiet clear cut, as we will be have to put
quite some complexity into the kernel to do full TLS handshake (if we
were to go with option 1) or will have to design a mechanism to pass
an in-kernel socket to userspace as we don't do that currently (if we
were going with option 2).
We have been discussing some ideas on how to implement option 2
(together with Chuck Lever and the NFS crowd), but so far haven't been
able to come up with a decent design.
So I would like to discuss with interested parties on how TLS handshake
could be facilitated, and what would be the best design options here.
The proposed configd would be an option, but then we don't have that,
either :-)
Required attendees:
Chuck Lever
James Bottomley
Sagi Grimberg
I'd be interested to discuss this.
One other item with TLS besides the handshake part is that
nfs/cifs/nvme-tcp are all tcp ulps like tls itself, which at
the currently cannot be stacked IIRC (all use sk callbacks,
including tls).
Is anyone looking into enabling stacking tcp ulps on top of tls?
