#2871 Change proposal: KTLS implementation for GnuTLS
Closed: Accepted a year ago by zbyszek. Opened a year ago by bcotton.

Acceleration of GnuTLS with software Kernel TLS (KTLS)

Owners, do not implement this work until the FESCo vote has explicitly ended.
The Fedora Program Manager will create a tracking bug in Bugzilla for this Change, which is your indication to proceed.
See the FESCo ticket policy and the Changes policy for more information.

After a week, the vote is
APPROVED (+3,0,-0)

Metadata Update from @bcotton:
- Issue tagged with: pending announcement

a year ago

Metadata Update from @zbyszek:
- Issue untagged with: pending announcement
- Issue close_status updated to: Accepted
- Issue status updated to: Closed (was: Open)

a year ago


Fallback mechanism will not be supported.
GitLab issue: https://gitlab.com/gnutls/gnutls/-/issues/1420


The mechanism would require a kernel patch and would be used only when KTLS key_update support patch is missing. So applying the latter patch makes more sense as it mitigates the need for the former one.


KTLS will be disabled by default in GnuTLS
Unless running on kernel with KTLS key_update support it will be advised not to enable ktls as in case of key_update() invocation GnuTLS session will be invalidated and terminated.

Yep, this makes sense. Thank you for the info. Please update the Change page to indicate the new approach, and also make it clear that this the plan changed so that people are not confused.


The key_update kernel patch is awaiting acceptance to the Linux kernel.
mail thread: https://marc.info/?t=167396341100001&r=1&w=2

need info

If the patch doesn't make it to fedora 38, this system-wide change might lose meaning as GnuTLS-KTLS will be disabled by default; thus not affecting anyone but those that enable it in the configuration file.

I would like to ask for guidance on proceeding in this situation.

(I'm not giving a guidance but just adding some thoughts for discussion)

The options I can see here for now are:
- backport the patch set to kernel-ark
- postpone the Change to later release i.e. Fedora 39

I personally prefer the former, if possible: the API change (including the pausing behavior and the new errno) does not look too intrusive and the risk of incorporating the patch set would be limited, given the support lifecycle of Fedora 38; in case it is not accepted in the upstream kernel, I would expect we could safely back it out in later releases (i.e., both GnuTLS and OpenSSL have a configuration option to turn off KTLS, and nobody else would start using this kernel feature directly).

Login to comment on this ticket.