Linux 4.13 introduces support for nothing less than… TLS!
The 1600 LoC patch allows userspace to pass the kernel the encryption keys for an established connection, making encryption happen transparently inside the kernel.
The only ciphersuite supported is AES-128-GCM as per RFC 5288.
The kernel only handles the record layer, that is, it only takes care of encrypting packets - only encryption is supported, not decryption.
The main motivation seems to be to allow use of
sendfile(2) on TLS connections. Moreover, the end goal seems to be to do TLS offloading on dedicated hardware managed by kernel drivers.