2019-05-19 13:07:45 +01:00
|
|
|
# SPDX-License-Identifier: GPL-2.0-only
|
2017-06-14 11:37:39 -07:00
|
|
|
#
|
|
|
|
# TLS configuration
|
|
|
|
#
|
|
|
|
config TLS
|
|
|
|
tristate "Transport Layer Security support"
|
2017-06-16 11:28:49 -04:00
|
|
|
depends on INET
|
2017-06-17 08:25:13 -07:00
|
|
|
select CRYPTO
|
|
|
|
select CRYPTO_AES
|
|
|
|
select CRYPTO_GCM
|
tls: RX path for ktls
Add rx path for tls software implementation.
recvmsg, splice_read, and poll implemented.
An additional sockopt TLS_RX is added, with the same interface as
TLS_TX. Either TLX_RX or TLX_TX may be provided separately, or
together (with two different setsockopt calls with appropriate keys).
Control messages are passed via CMSG in a similar way to transmit.
If no cmsg buffer is passed, then only application data records
will be passed to userspace, and EIO is returned for other types of
alerts.
EBADMSG is passed for decryption errors, and EMSGSIZE is passed for
framing too big, and EBADMSG for framing too small (matching openssl
semantics). EINVAL is returned for TLS versions that do not match the
original setsockopt call. All are unrecoverable.
strparser is used to parse TLS framing. Decryption is done directly
in to userspace buffers if they are large enough to support it, otherwise
sk_cow_data is called (similar to ipsec), and buffers are decrypted in
place and copied. splice_read always decrypts in place, since no
buffers are provided to decrypt in to.
sk_poll is overridden, and only returns POLLIN if a full TLS message is
received. Otherwise we wait for strparser to finish reading a full frame.
Actual decryption is only done during recvmsg or splice_read calls.
Signed-off-by: Dave Watson <davejwatson@fb.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-03-22 10:10:35 -07:00
|
|
|
select STREAM_PARSER
|
2018-10-13 02:45:59 +02:00
|
|
|
select NET_SOCK_MSG
|
2017-06-17 08:25:13 -07:00
|
|
|
default n
|
2020-06-14 01:50:22 +09:00
|
|
|
help
|
2017-06-14 11:37:39 -07:00
|
|
|
Enable kernel support for TLS protocol. This allows symmetric
|
|
|
|
encryption handling of the TLS protocol to be done in-kernel.
|
|
|
|
|
2017-06-17 08:25:13 -07:00
|
|
|
If unsure, say N.
|
2018-04-30 10:16:16 +03:00
|
|
|
|
|
|
|
config TLS_DEVICE
|
|
|
|
bool "Transport Layer Security HW offload"
|
|
|
|
depends on TLS
|
2024-04-03 13:21:39 -07:00
|
|
|
select SKB_DECRYPTED
|
2018-04-30 10:16:16 +03:00
|
|
|
select SOCK_VALIDATE_XMIT
|
2021-02-11 13:35:52 +02:00
|
|
|
select SOCK_RX_QUEUE_MAPPING
|
2018-04-30 10:16:16 +03:00
|
|
|
default n
|
|
|
|
help
|
|
|
|
Enable kernel support for HW offload of the TLS protocol.
|
|
|
|
|
|
|
|
If unsure, say N.
|
2019-10-03 11:18:59 -07:00
|
|
|
|
|
|
|
config TLS_TOE
|
|
|
|
bool "Transport Layer Security TCP stack bypass"
|
|
|
|
depends on TLS
|
|
|
|
default n
|
|
|
|
help
|
|
|
|
Enable kernel support for legacy HW offload of the TLS protocol,
|
|
|
|
which is incompatible with the Linux networking stack semantics.
|
|
|
|
|
|
|
|
If unsure, say N.
|