Playing with kernel TLS in Linux 4.13 and Go

Linux 4.13 introduces support for nothing less than… TLS!

The 1600 LoC patch allows userspace to pass the kernel the encryption keys for an established connection, making encryption happen transparently inside the kernel.

The only ciphersuite supported is AES-128-GCM as per RFC 5288.

The kernel only handles the record layer, that is, it only takes care of encrypting packets - only encryption is supported, not decryption. 

The main motivation seems to be to allow use of sendfile(2) on TLS connections. Moreover, the end goal seems to be to do TLS offloading on dedicated hardware managed by kernel drivers.


Be the first to post a comment.

Leave a Comment

Your email address will not be published. Required fields are marked *