Skip to content

Instantly share code, notes, and snippets.

@vladak

vladak/freebsd-ktls-build.md

Last active February 4, 2022 10:17
Show Gist options
  • Save vladak/1d453ef581a98acd9e07711146834ed7 to your computer and use it in GitHub Desktop.
Save vladak/1d453ef581a98acd9e07711146834ed7 to your computer and use it in GitHub Desktop.
Download ZIP
FreeBSD KTLS build
Raw
freebsd-ktls-build.md

FreeBSD-current KTLS setup

The goal is to use FreeBSD as a KTLS client.

ref: https://docs.freebsd.org/en/books/handbook/cutting-edge/

Notes:

  • GENERIC kernel configuration has the KERN_TLS option set by default
  • rpc.tls* daemons are built by default

Build

Complete (hopefully) build steps:

  • Storage preparation:
gpart create -s GPT ada1
zpool create build ada1
zfs create build/tmp
zfs set mountpoint=/mnt zroot/tmp
zfs set mountpoint=/tmp build/tmp
chmod 1777 /tmp
zfs create -o mountpoint=/usr/obj build/obj
zfs set mountpoint=/usr/src.old zroot/usr/src
zfs create -o mountpoint=/usr/src build
  • Git repository preparation:
cd /usr/src
git init
git remote add origin https://git.freebsd.org/src.git
git branch main
env https_proxy=... git pull
  • build:
    • the objects will be stored under e.g. /usr/obj/usr/src/amd64.amd64/usr.sbin/rpc.tlsclntd/
cd /usr/src
make -j4 buildworld >out
  • install:
   TBD

Run

enable NFS client:

cat <<EOF >/etc/rc.conf.local
nfs_client_enable="YES"
EOF

enable tlsclntd to start during boot as per the rc.conf(5) man page:

cat <<EOF >/etc/rc.conf.d/tlsclntd
tlsclntd_enable="YES"
tlsclntd_flags="-v"
EOF

This assumes that the /etc/rc.conf.d/tlsclntd is in place (if not, copy it from /usr/src/libexec/rc/rc.d/tlsclntd).

enable kernel TLS:

sysctl -w kern.ipc.tls.enable=1
echo kern.ipc.tls.enable=1 >> /etc/sysctl.conf

Now rpc.tlsclntd can be run by hand (it will be started after reboot thanks to the /etc/rc.conf.d/tlsclntd):

rpc.tlsclntd -d
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment