This is a tracking bug for Change: KTLS implementation for GnuTLS For more details, see: https://fedoraproject.org/wiki/Changes/KTLSSupportForGnuTLS Acceleration of GnuTLS with software Kernel TLS (KTLS) If you encounter a bug related to this Change, please do not comment here. Instead create a new bug and set it to block this bug.
Today we reached the Code Complete (Testable) milestone on the F38 schedule: https://fedorapeople.org/groups/schedule/f-38/f-38-key-tasks.html At this time, all F38 Changes should be complete enough to be testable. You can indicate this by setting this tracker to the MODIFIED status. If the Change is 100% code complete, you can set the tracker to ON_QA. If you need to defer this Change to F39, please NEEDINFO me. Changes that have not reached at least the MODIFIED status will be given to FESCo for evaluation of contingency plans.
Hey Ben. Although the code is complete, we decided to postpone this change to F39 as the KTLS key_update kernel patch was not yet included in Linux nor fedora kernel. https://pagure.io/fesco/issue/2871#comment-824428
Deferred to F39
Can we get another status update here, please? Where does this stand wrt F39? Thanks!
Hey Adam, It will have to be postponed once more as the key-update capability (which is a requirement for this feature) was not yet added to the kernel. I have high hopes that it will be done until the f40 release. The ktls key-update implementation mail thread: https://lore.kernel.org/netdev/49bb1e97ace3d18c7b57b2ae6a5011643d351f0a.1691584074.git.sd@queasysnail.net/
Roger roger.
Hi Frantisek, How goes the inclusion of the feature required for this change in the kernel? Has it landed and this change is still targeting F40? Im checking in on all changes for F40 now that we are passed the Testable deadline and are heading towards the 100% complete one, so any update you have to indicate whether this change is still intended and on track or not is much appreciated. Thanks! Aoife
Hey Aoife, The feature was not yet implemented so no landing in f40, I haven't been able to read Sabrina (the potential implementer of the kernel patch). Will try to reach again. Regards, František
Deferred to F41, then (Aoife is on vacation). Thanks.
Hi Frantisek, how goes this change for F41? Is it landed/landing? It needs to be code complete before next Tuesday 27th August before we go into Beta freeze so if you could give an update on the status that would be very appreciated. Thanks! Aoife
Hey Aoife, I will check the kernel tomorrow if the required change made it there.
Hey Aoife, The kernel rekey is still not implemented, I have created a task to follow up on this in the next quarter, Will consider dropping this this change if the kernel features will turn op to be infeasible.
Hi Frantisek, thanks for the update! I will move this to F42 and check back in early in the release cycle whether this change is going to happen. Thanks again!
Hey Aoife, I have checked the kernel implementation and it is still not implemented, and I think it won't be for a long time, we should put this on hold any ideas as to how?
nvm, I has picked up some traction just now
nvm, It has just picked up some traction.
Sorry for the delay Frantisek. Glad to hear theres been a bit of movement. If it stalls again I think it might be best to remove this as a change entirely. It can always be picked back up at a later date, but I will leave this target F42 for now and check back in closer to the testable deadline on how things are progressing. Thanks, Aoife
Hi Frantisek, how goes this change for F42? The TESTABLE deadline is in just over two weeks, on February 4th so the change needs to be in good shape to make the Beta https://docs.fedoraproject.org/en-US/program_management/changes_policy/#_change_process_milestones . Hopefully all is going better this release cycle, but if you need to make changes to defer, just let me know. Thanks, Aoife
Hey Aoife, I have just checked and the required changes to the kernel were made, unfortunately I won't be able to test them in time, so I would propose a postpone to yet another cycle(which would hopefully be the final one). Regards, Frantisek
There is actually a high chance the TLS 1.3 rekey patches will be included in kernel 6.14 (and thus F-42): https://lore.kernel.org/netdev/20250121125748.37808-1-pabeni@redhat.com/ https://lwn.net/Articles/1001958/ Frantisek, do you remember if we need something additional in the userspace, or it's already implemented?
I went trough both codes (kernel, GnuTLS). It seems that everything is in place. we only need to Test the key-update (possibly write a test for it). The key-update "calls" are already in place in lib/tls13/key_update.c which I was afraid was not the case.
I will perform verification until Friday, if the verification is successful the change in GnuTLS to enable kTLS by default is trivial, we just need to make sure that the correct kernel version also lands.
Status update: The preliminary testing looks good, we need to add a new error message type introduced by the rekey kTLS patch which shouldn't take long.
The change was in checked into rawhide in time I suppose we are postponing to f43
We discussed this during the FESCo meeting today: AGREED: The change is retargeted to F43 (+5, 0, 0)
Updated the wiki and tracker bug as per FESCo and change owner request.