Should we enable KERN_TLS on amd64 for FreeBSD 13?

Steve Kargl sgk at troutmask.apl.washington.edu
Fri Jan 8 20:23:07 UTC 2021 

On Fri, Jan 08, 2021 at 12:26:38PM -0500, Andrew Gallatin wrote:
> 
> Kernel TLS (KTLS) support was added roughly a year ago, and provides
> an efficient software or hardware accelerated path to have the kernel
> (or the NIC) handle TLS crypto.  This is quite useful for web and
> NFS servers, and provides a huge (2x -> 5x) efficiency gain by
> avoiding data copies into userspace for crypto, and potentially
> offloading the crypto to hardware.
> 
> KTLS is well tested on amd64, having been used in production at Netflix
> for nearly 4 years.   The vast majority of Netflix video has been served
> via KTLS for the last few years.  Its what has allowed us to serve
> 100Gb/s on Xeon 2697A cpus for years, and what allows us to serve
> nearly 400Gb/s on AMD servers with NICs which support crypto offload.
> 
> I have received a few requests to enable it by default in GENERIC, and
> I'd like to get some opinions.
> 
> There are essentially 3 options
> 
> 1) Fully enable KTLS by adding 'options KERN_TLS' to GENERIC, and
> flipping kern.ipc.tls.enable=1
> 
> The advantage of this is that it "just works" out of the box for users,
> and for reviewers.
> 
> The drawback is that new code is thrust on unsuspecting users,
> potentially exposing them to bugs that we have not found in our
> somewhat limited web serving workload.
> 
> 2) Enable KTLS in GENERIC, but leave it turned off by default.
> 
> This option allows users to enable ktls without a rebuild of GENERIC,
> but does not enable it by default. So they can enable it if they
> know about it, but are protected from bugs.
> 
> The disadvantages of this are that it increases the kernel size
> by ~20K, starts up one thread per core on every amd64 machine,
> and it adds more required tuning to get good performance from FreeBSD.
> 
> 
> 3) Continue along with KTLS disabled in GENERIC
> 
> This is the lowest risk, but adds a higher bar for users wanting
> to use ktls.
> 

Drew,

For those that use a custom kernel configuration, would we need
to add 'options KERN_TLS' to our config files, or can a module
be loaded from the boot loader (ie. via /boot/loader.conf)?

I have no preference between 1 or 2, either seems acceptable to
me for those running the bleeding edge.

-- 
Steve

More information about the freebsd-arch mailing list