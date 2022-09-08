The proposal aims to provide GnuTLS users with a high throughput data transfer mechanism on encrypted channels.

While Fedora 37 is expected to be released in late October, new features for Fedora 38 are being discussed by the community. František Krenželok and Daiki Ueno from Red Hat proposed to enable the acceleration of GnuTLS using the kernel TLS. It aims to provide GnuTLS users with a high throughput data transfer mechanism on encrypted channels, to provide better performance for network block devices.

Live VM Migration

According to the proposal on the Fedora Project‘s wiki page, GnuTLS will detect the kernel support for kernel TLS and automatically enable its usage if it is compatible. The document says,

« We accomplish this with KTLS which offloads enc/decryption (TLS record) to the kernel, while GnuTLS handles initial connection (TLS handshake). GNUTLS will detect whether the kernel supports kTLS and will automatically enable its usage when compatible. Any package built against GNUTLS, is likely to see some performance benefit from kTLS, provided it has not installed custom push/pull I/O function callbacks. »

kTLS enables a reduction in context switching and reduced data copies when using send_file(). The suitable NIC hardware also allows encryption operations to be offloaded, which frees the time on the main CPUs for application usage. Without offloading hardware, kTLS may still improve parallelism for applications as the kernel can perform encryption operations on a different host CPU to that running the application threads.

The main benefit is in the acceleration of large data transfers through encrypted channels. The send_file function allows users to send data directly through the socket, without entering user space, saving the user from 2 context switches and 2 additional user space buffers. These benefits are:

Acceleration of live VM migration , which should mitigate the downtime for various services used by both the users and the developers.

Increased speed at which files can be retrieved from NBD via an encrypted channel and less CPU and memory strain on NBD server.