Received: by 2002:ad5:4acb:0:0:0:0:0 with SMTP id n11csp3735084imw; Mon, 18 Jul 2022 13:33:28 -0700 (PDT) X-Google-Smtp-Source: AGRyM1vynYT1yq/s4a3tIy2BqIqTvQ1UrhZHMtsCJQUGyv7pgJyPcXHx6dO8YzJDlz56/aIhGTqJ X-Received: by 2002:a05:6402:3707:b0:437:61f9:57a9 with SMTP id ek7-20020a056402370700b0043761f957a9mr29317118edb.1.1658176408221; Mon, 18 Jul 2022 13:33:28 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1658176408; cv=none; d=google.com; s=arc-20160816; b=ySpUx3Fl+kosBB86/XU8qxhnONh8LQKLCCjApie9GCZ68JOVvVv1spQg829v6FRTFg vrR3XQiRQFjsHWcRYA0aE8zKAGJvim61xH4fc9xxrPZ4QFrOsIqlIUwXK6I+NiMbQF+o kEVTpZ9ju52JBqfNpDUO3lel/b1Bfbzibr1t43O4uMlY4YWk27rSNdlNlkgRoEQe+XwR mPMNkwRLLVxjWw9GbTJUW77LkNU8NegCkQnZvhL6LY+C3f/QZ31UEAv/ujCUD6mXfjMC zasUSP8CL9d8dCW9kzyT0I7t+3DsKDgpxDqhj8grFVEDC7wELp4tXkqyRx8s3sGszoeU gblA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:user-agent :content-transfer-encoding:references:in-reply-to:date:cc:to:from :subject:message-id:dkim-signature; bh=gsGPmFzPYzQTI0vXUXTL5OwuTCvjJGkC4D/5a8G2Ju4=; b=huYKB5Laq78VEtfvwDWWRZN/UGiW+60+2a2pIs1Xh5gz1ZCPB0jR9l+eoRyniP3Cgf O7qRxPl6emdV42oAfzPEimn+6rXnG2DZpqi4zdXbT4xsm8ke7hjiigcQT0jq3+jEv6nB A4q+bsn+xBHTUejRXYmT198Ct8B6z5n48wFJFKO8qqsyvt/0pFULpA8j6B/HaF+JZvYd r4HYT47twwT+k5vewRS4p/NYy6XL1FeMycD1x0pzMhaR2oqupIHUbD7MKxXFA4rKUw0Y qjWCiwjM21bjwZR0wMiZOpxgRkDTziKw3O2godVBkLq8nstxihw4NmJdkqpW/huvrv8y LKmQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=e8t05wop; spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id v24-20020a056402185800b004359a5259e5si140475edy.561.2022.07.18.13.33.03; Mon, 18 Jul 2022 13:33:28 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=e8t05wop; spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234513AbiGRU0G (ORCPT + 99 others); Mon, 18 Jul 2022 16:26:06 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35242 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233955AbiGRU0G (ORCPT ); Mon, 18 Jul 2022 16:26:06 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9AED526AD8 for ; Mon, 18 Jul 2022 13:26:03 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 512C0B8173A for ; Mon, 18 Jul 2022 20:26:02 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id AC11EC341C0; Mon, 18 Jul 2022 20:26:00 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1658175961; bh=SuMQXeAHWvkdhEh/4MyOvL702Ye2GgbKkMEbCNiqrII=; h=Subject:From:To:Cc:Date:In-Reply-To:References:From; b=e8t05wopVD9BXWQJIw8pcHSl9VDn7XlALvervf9XcaC2fWvfkWUH0ZV4DtJsfb+wC mIU108dKFIOm439+dQSpKHPEd3sHtZqEvZEjyjysz6FKSpMj9UiGz7SS15kQUzkmrT EfNGh5ihKmumSB91NmXYCm/WfDVPZf+0DNDz/FX0WO9UJ9yWHnlV75JFLon7iiQmmU gYkwbqOhhPFObkiFJfs+0sxw1g2rKKc5P7/vkFfN3PZRDS/qql/PKWFi4LuShFuSPR +DkyzvOHoPhB5UV+TC9JG41uMLJImOvYM85KNnnDABZtk7685mmLxVpON1NNe8DYjR 7yidW1ZSo6Mcg== Message-ID: <56188220b31296572324b4709ceafd458db47d42.camel@kernel.org> Subject: Re: [PATCH v2 00/15] RPC-with-TLS client side From: Jeff Layton To: Chuck Lever , linux-nfs@vger.kernel.org Cc: trondmy@hammerspace.com Date: Mon, 18 Jul 2022 16:25:59 -0400 In-Reply-To: <165452664596.1496.16204212908726904739.stgit@oracle-102.nfsv4.dev> References: <165452664596.1496.16204212908726904739.stgit@oracle-102.nfsv4.dev> Content-Type: text/plain; charset="ISO-8859-15" Content-Transfer-Encoding: quoted-printable User-Agent: Evolution 3.44.3 (3.44.3-1.fc36) MIME-Version: 1.0 X-Spam-Status: No, score=-7.8 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-nfs@vger.kernel.org On Mon, 2022-06-06 at 10:50 -0400, Chuck Lever wrote: > Now that the initial v5.19 merge window has closed, it's time for > another round of review for RPC-with-TLS support in the Linux NFS > client. This is just the RPC-specific portions. The full series is > available in the "topic-rpc-with-tls-upcall" branch here: >=20 > https://git.kernel.org/pub/scm/linux/kernel/git/cel/linux.git >=20 > I've taken two or three steps towards implementing the architecture > Trond requested during the last review. There is now a two-stage > connection establishment process so that the upper level can use > XPRT_CONNECTED to determine when a TLS session is ready to use. > There are probably additional changes and simplifications that can > be made. Please review and provide feedback. >=20 > I wanted to make more progress on client-side authentication (ie, > passing an x.509 cert from the client to the server) but NFSD bugs > have taken all my time for the past few weeks. >=20 >=20 > Changes since v1: > - Rebased on v5.18 > - Re-ordered so generic fixes come first > - Addressed some of Trond's review comments >=20 > --- >=20 > Chuck Lever (15): > SUNRPC: Fail faster on bad verifier > SUNRPC: Widen rpc_task::tk_flags > SUNRPC: Replace dprintk() call site in xs_data_ready > NFS: Replace fs_context-related dprintk() call sites with tracepoin= ts > SUNRPC: Plumb an API for setting transport layer security > SUNRPC: Trace the rpc_create_args > SUNRPC: Refactor rpc_call_null_helper() > SUNRPC: Add RPC client support for the RPC_AUTH_TLS auth flavor > SUNRPC: Ignore data_ready callbacks during TLS handshakes > SUNRPC: Capture cmsg metadata on client-side receive > SUNRPC: Add a connect worker function for TLS > SUNRPC: Add RPC-with-TLS support to xprtsock.c > SUNRPC: Add RPC-with-TLS tracepoints > NFS: Have struct nfs_client carry a TLS policy field > NFS: Add an "xprtsec=3D" NFS mount option >=20 >=20 > fs/nfs/client.c | 14 ++ > fs/nfs/fs_context.c | 65 +++++-- > fs/nfs/internal.h | 2 + > fs/nfs/nfs3client.c | 1 + > fs/nfs/nfs4client.c | 16 +- > fs/nfs/nfstrace.h | 77 ++++++++ > fs/nfs/super.c | 7 + > include/linux/nfs_fs_sb.h | 5 +- > include/linux/sunrpc/auth.h | 1 + > include/linux/sunrpc/clnt.h | 15 +- > include/linux/sunrpc/sched.h | 32 ++-- > include/linux/sunrpc/xprt.h | 2 + > include/linux/sunrpc/xprtsock.h | 4 + > include/net/tls.h | 2 + > include/trace/events/sunrpc.h | 157 ++++++++++++++-- > net/sunrpc/Makefile | 2 +- > net/sunrpc/auth.c | 2 +- > net/sunrpc/auth_tls.c | 120 +++++++++++++ > net/sunrpc/clnt.c | 34 ++-- > net/sunrpc/debugfs.c | 2 +- > net/sunrpc/xprtsock.c | 310 +++++++++++++++++++++++++++++++- > 21 files changed, 805 insertions(+), 65 deletions(-) > create mode 100644 net/sunrpc/auth_tls.c >=20 > -- > Chuck Lever >=20 This looks pretty good overall. Nice work, Chuck. FWIW, I pulled these and ktls-utils down and gave them a spin and they worked just fine. You can add: Tested-by: Jeff Layton