Page MenuHomeFreeBSD

ktls_test: Permit an option to skip tests not using ifnet TLS.
ClosedPublic

Authored by jhb on Jun 7 2022, 9:20 PM.
Tags
None
Referenced Files
Unknown Object (File)
Wed, Oct 23, 7:16 PM
Unknown Object (File)
Sep 17 2024, 6:40 PM
Unknown Object (File)
Sep 17 2024, 6:03 PM
Unknown Object (File)
Sep 12 2024, 6:14 PM
Unknown Object (File)
Sep 5 2024, 11:15 AM
Unknown Object (File)
Sep 2 2024, 10:20 PM
Unknown Object (File)
Aug 31 2024, 7:30 AM
Unknown Object (File)
Aug 28 2024, 8:55 PM
Subscribers

Details

Summary

If ktls.require_ifnet is set to true, then check the TLS offload mode
for tests sending and receiving records and skip the test if the
offload mode is not ifnet mode.

This can be used along with ktls.host to run KTLS tests against a NIC
supporting ifnet TLS and verify that expected cipher suites and
directions used ifnet TLS rather than software TLS. Receive tests may
result in a false positive as receive ifnet TLS can use software as a
fallback.

Sponsored by: Chelsio Communications

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Passed
Unit
No Test Coverage
Build Status
Buildable 45901
Build 42789: arc lint + arc unit

Event Timeline

I've used this by enabling the echo service in inetd (and running inetd with -C 0 -R 0) on a remote host named 'host1' and then running:

kyua -v test_suites.FreeBSD.ktls.host=host1 -v test_suites.FreeBSD.ktls.require_ifnet=true test -k /usr/tests/sys/kern/Kyuafile ktls_test

Cipher suites supported by the NIC pass, and ones not supported are skipped, e.g.:

ktls_test:ktls_transmit_aes128_cbc_1_0_sha1_control  ->  skipped: connection did not use ifnet TLS  [0.004s]
ktls_test:ktls_transmit_aes128_cbc_1_0_sha1_empty_fragment  ->  skipped: connection did not use ifnet TLS  [0.005s]
ktls_test:ktls_transmit_aes128_cbc_1_0_sha1_long  ->  skipped: connection did not use ifnet TLS  [0.005s]
...
ktls_test:ktls_transmit_aes128_cbc_1_1_sha1_control  ->  passed  [0.005s]
ktls_test:ktls_transmit_aes128_cbc_1_1_sha1_empty_fragment  ->  passed  [0.004s]
ktls_test:ktls_transmit_aes128_cbc_1_1_sha1_long  ->  passed  [0.005s]
...
ktls_test:ktls_transmit_aes128_gcm_1_2_control  ->  passed  [0.005s]
ktls_test:ktls_transmit_aes128_gcm_1_2_empty_fragment  ->  passed  [0.004s]
ktls_test:ktls_transmit_aes128_gcm_1_2_long  ->  passed  [0.005s]
ktls_test:ktls_transmit_aes128_gcm_1_2_short  ->  passed  [0.005s]
ktls_test:ktls_transmit_aes128_gcm_1_3_control  ->  skipped: connection did not use ifnet TLS  [0.004s]
ktls_test:ktls_transmit_aes128_gcm_1_3_empty_fragment  ->  skipped: connection did not use ifnet TLS  [0.004s]
ktls_test:ktls_transmit_aes128_gcm_1_3_long  ->  skipped: connection did not use ifnet TLS  [0.005s]
ktls_test:ktls_transmit_aes128_gcm_1_3_short  ->  skipped: connection did not use ifnet TLS  [0.004s]

Note that since T6 doesn't support RX offload, I've only been able to test the TX side, but receive should in theory work the same with the caveat that since the receive tests are so short they may end up using software decrypt for all of the traffic.

This revision is now accepted and ready to land.Jun 13 2022, 6:26 PM