kernel-tls-handshake.lists.linux.dev archive mirror
 help / color / mirror / Atom feed
* [PATCH RFC 0/5] NFSD support for RPC-with-TLS
@ 2023-03-20 14:24 Chuck Lever
  2023-03-20 14:24 ` [PATCH RFC 1/5] SUNRPC: Revert 987c7b1d094d Chuck Lever
                   ` (4 more replies)
  0 siblings, 5 replies; 14+ messages in thread
From: Chuck Lever @ 2023-03-20 14:24 UTC (permalink / raw)
  To: linux-nfs; +Cc: kernel-tls-handshake

Hi-

This is server-side support for RPC-with-TLS, to accompany similar
support in the Linux NFS client. This implementation can support
both the opportunistic use of transport layer security (it will be
used if the client cares to) and the required use of transport
layer security (the server requires the client to use it to access
a particular export).

The kernel patches, along with the the handshake upcall, are carried
in the topic-rpc-with-tls-upcall branch available from:

https://git.kernel.org/pub/scm/linux/kernel/git/cel/linux.git

The user space componenet of the upcall can be found in the
netlink-v7 branch from:

https://github.com/oracle/ktls-utils

This work includes a man page, tlshd(8), that explains how to set
up certificates for the server to use. Currently, NFS support for
RPC-with-TLS does not implement support for pre-shared keys.

Without any other user space componentry, this implementation will
be able to handle clients that request the use of RPC-with-TLS. To
support security policies that restrict access to exports based on
the client's use of TLS, modifications to exportfs and mountd are
needed. These can be found here:

git://git.linux-nfs.org/projects/cel/nfs-utils.git

They include an update to exports(5) explaining how to use the new
"xprtsec=" export option. I will post these for review under
separate cover.

---

Chuck Lever (5):
      SUNRPC: Revert 987c7b1d094d
      SUNRPC: Recognize control messages in server-side TCP socket code
      SUNRPC: Ensure server-side sockets have a sock->file
      SUNRPC: Support TLS handshake in the server-side TCP socket code
      NFSD: Handle new xprtsec= export option


 fs/nfsd/export.c                |  53 +++++++++-
 fs/nfsd/export.h                |  11 ++
 include/linux/sunrpc/svc_xprt.h |   5 +-
 include/linux/sunrpc/svcsock.h  |   2 +
 include/trace/events/sunrpc.h   |  42 +++++++-
 net/sunrpc/svc_xprt.c           |   5 +-
 net/sunrpc/svcauth_unix.c       |  11 +-
 net/sunrpc/svcsock.c            | 177 +++++++++++++++++++++++++++++---
 8 files changed, 284 insertions(+), 22 deletions(-)

--
Chuck Lever


^ permalink raw reply	[flat|nested] 14+ messages in thread

end of thread, other threads:[~2023-03-21 16:46 UTC | newest]

Thread overview: 14+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-03-20 14:24 [PATCH RFC 0/5] NFSD support for RPC-with-TLS Chuck Lever
2023-03-20 14:24 ` [PATCH RFC 1/5] SUNRPC: Revert 987c7b1d094d Chuck Lever
2023-03-20 14:24 ` [PATCH RFC 2/5] SUNRPC: Recognize control messages in server-side TCP socket code Chuck Lever
2023-03-20 14:24 ` [PATCH RFC 3/5] SUNRPC: Ensure server-side sockets have a sock->file Chuck Lever
2023-03-20 14:24 ` [PATCH RFC 4/5] SUNRPC: Support TLS handshake in the server-side TCP socket code Chuck Lever
2023-03-21 11:43   ` Jeff Layton
2023-03-21 14:03     ` Chuck Lever III
2023-03-21 14:56       ` Jeff Layton
2023-03-21 16:09         ` Chuck Lever III
2023-03-21 16:46           ` Jeff Layton
2023-03-20 14:24 ` [PATCH RFC 5/5] NFSD: Handle new xprtsec= export option Chuck Lever
2023-03-21 11:50   ` Jeff Layton
2023-03-21 14:05     ` Chuck Lever III
2023-03-21 15:10       ` Jeff Layton

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).