From: Dave Watson Subject: Re: [PATCH v3 net-next 0/4] kernel TLS Date: Wed, 14 Jun 2017 15:17:38 -0700 Message-ID: <20170614221738.GC72301@davejwatson-mba.dhcp.thefacebook.com> References: <20170614183654.GA80067@davejwatson-mba.dhcp.thefacebook.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Cc: Ilya Lesokhin , Aviad Yehezkel , Boris Pismenny , Liran Liss , Matan Barak , David Miller , Linux Kernel Network Developers , Herbert Xu , Linux Crypto Mailing List , Hannes Frederic Sowa , Eric Dumazet , Alexei Starovoitov , , =?iso-8859-1?Q?Fridol=EDn_Pokorn=FD?= To: Tom Herbert Return-path: Content-Disposition: inline In-Reply-To: Sender: netdev-owner@vger.kernel.org List-Id: linux-crypto.vger.kernel.org On 06/14/17 01:54 PM, Tom Herbert wrote: > On Wed, Jun 14, 2017 at 11:36 AM, Dave Watson wrote: > > This series adds support for kernel TLS encryption over TCP sockets. > > A standard TCP socket is converted to a TLS socket using a setsockopt. > > Only symmetric crypto is done in the kernel, as well as TLS record > > framing. The handshake remains in userspace, and the negotiated > > cipher keys/iv are provided to the TCP socket. > > > I don't see support for TLS receive path in the kernel, only the send > path. Am I missing something? Correct, this is only TX. Since it sounds likely some hardware might only be able to offload TX, we decided to configure TX and RX separately. Using the OpenSSL patches, it should be transparent to users even if only one side is offloaded. The software RX patches exist but haven't been polished up yet.