From: Krenzelok Frantisek Date: Mon, 17 Feb 2025 22:05:28 +0000 (+0100) Subject: kTLS: Document rekey support X-Git-Tag: 3.8.10~26^2~4 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=91c4ac9001440bb416cb2bdc37022c8131a53d37;p=thirdparty%2Fgnutls.git kTLS: Document rekey support Signed-off-by: Krenzelok Frantisek --- diff --git a/NEWS b/NEWS index d04ef3631c..c74389889a 100644 --- a/NEWS +++ b/NEWS @@ -7,6 +7,13 @@ See the end for copying conditions. * Version 3.8.10 (unreleased) +** libgnutls: Linux kernel version 6.14 bring a Kernel TLS(kTLS) key update + support. The library running on the aforementioned version now utilizes the + kernel’s key update mechanism when kTLS is enabled, allowing uninterrupted + TLS session. The --enable-ktls configure option as well as the system-wide + kTLS configuration(see GnuTLS Documentation) are still required to enable + this feature. + ** libgnutls: liboqs support for PQC has been removed For maintenance purposes, support for post-quantum cryptography (PQC) is now only provided through leancrypto. The experimental key diff --git a/doc/Makefile.am b/doc/Makefile.am index 3380d16bbb..7f70b65815 100644 --- a/doc/Makefile.am +++ b/doc/Makefile.am @@ -182,7 +182,8 @@ gnutls_TEXINFOS = gnutls.texi fdl-1.3.texi \ cha-library.texi cha-preface.texi cha-programs.texi \ sec-tls-app.texi cha-errors.texi cha-support.texi \ cha-shared-key.texi cha-gtls-examples.texi cha-upgrade.texi \ - cha-tokens.texi cha-crypto.texi cha-auth.texi cha-config.texi + cha-tokens.texi cha-crypto.texi cha-auth.texi cha-config.texi \ + cha-features.texi AUTOGENED_DOC = invoke-gnutls-cli.texi invoke-gnutls-cli-debug.texi \ invoke-gnutls-serv.texi invoke-certtool.texi invoke-srptool.texi \ diff --git a/doc/cha-config.texi b/doc/cha-config.texi index cc796df9b1..08134826d9 100644 --- a/doc/cha-config.texi +++ b/doc/cha-config.texi @@ -262,10 +262,12 @@ The following options can overwrite default behavior of protocols system-wide. ktls = true @end example -@subsection Enabling KTLS +@node Enabling kTLS +@subsection Enabling kTLS When GnuTLS is build with -–enable-ktls configuration, KTLS is disabled by default. This can be enabled by setting @code{ktls = true} in @code{[global]} section. +kTLS requires that the system support kTLS @ref{kTLS (Kernel TLS)}. @node Enabling/Disabling RSAES-PKCS1-v1_5 @section Enabling/Disabling RSAES-PKCS1-v1_5 diff --git a/doc/cha-features.texi b/doc/cha-features.texi new file mode 100644 index 0000000000..9d48690445 --- /dev/null +++ b/doc/cha-features.texi @@ -0,0 +1,25 @@ +@node Additional Features +@appendix Additional Features + +@menu +* kTLS (Kernel TLS):: +@end menu + +@node kTLS (Kernel TLS) +@section kTLS (Kernel TLS) +@cindex kTLS (Kernel TLS) +kTLS (Kernel TLS) is a Linux kernel feature that offloads TLS encryption and decryption operations to the kernel space, improving performance and reducing CPU overhead. It allows applications to leverage zero-copy data transmission, reducing context switches between user space and kernel space. + +The following table shows how to enable kTLS support on Linux and FreeBSD systems. +@float Table,tab:ktls_support +@multitable @columnfractions .40 .30 .30 +@headitem Description @tab Linux @tab FreeBSD +@item Load kernel module @tab @code{modprobe tls} @tab @code{kldload tls} +@item Check if module is loaded @tab @code{lsmod | grep tls} @tab @code{kldstat | grep tls} +@item kTLS rekey support @tab v6.14 @tab not yet supported +@end multitable +@caption{kTLS system enable} +@end float + +To enable ktls in GnuTLS @ref{Enabling kTLS}. + diff --git a/doc/epub.texi b/doc/epub.texi index 1ec7073892..ec9df0a4a7 100644 --- a/doc/epub.texi +++ b/doc/epub.texi @@ -128,6 +128,7 @@ Documentation License''. * Supported ciphersuites:: * API reference:: * Copying Information:: +* Additional Features:: * Bibliography:: * Function and Data Index:: * Concept Index:: @@ -170,6 +171,8 @@ Documentation License''. @include cha-copying.texi +@include cha-features.texi + @include cha-bib.texi @node Function and Data Index diff --git a/doc/gnutls.texi b/doc/gnutls.texi index 43274ce49c..f8b31c5f15 100644 --- a/doc/gnutls.texi +++ b/doc/gnutls.texi @@ -163,6 +163,7 @@ Documentation License''. * Supported ciphersuites:: * API reference:: * Copying Information:: +* Additional Features:: * Bibliography:: * Function and Data Index:: * Concept Index:: @@ -205,6 +206,8 @@ Documentation License''. @include cha-copying.texi +@include cha-features.texi + @include cha-bib.texi @node Function and Data Index