diff options
| author | Chuck Lever <chuck.lever@oracle.com> | 2023-06-07 10:00:09 -0400 |
|---|---|---|
| committer | Trond Myklebust <trond.myklebust@hammerspace.com> | 2023-06-19 12:30:17 -0400 |
| commit | c8407f2e560c53c4c73e77cb5604c8a408dbe7f7 (patch) | |
| tree | f695d4a7ccdf9a62a0cd57a73e6e4303c53a23e5 /fs/nfs/client.c | |
| parent | 6c0a8c5fcf7158e889dbdd077f67c81984704710 (diff) | |
| download | lwn-c8407f2e560c53c4c73e77cb5604c8a408dbe7f7.tar.gz lwn-c8407f2e560c53c4c73e77cb5604c8a408dbe7f7.zip | |
NFS: Add an "xprtsec=" NFS mount option
After some discussion, we decided that controlling transport layer
security policy should be separate from the setting for the user
authentication flavor. To accomplish this, add a new NFS mount
option to select a transport layer security policy for RPC
operations associated with the mount point.
xprtsec=none - Transport layer security is forced off.
xprtsec=tls - Establish an encryption-only TLS session. If
the initial handshake fails, the mount fails.
If TLS is not available on a reconnect, drop
the connection and try again.
xprtsec=mtls - Both sides authenticate and an encrypted
session is created. If the initial handshake
fails, the mount fails. If TLS is not available
on a reconnect, drop the connection and try
again.
To support client peer authentication (mtls), the handshake daemon
will have configurable default authentication material (certificate
or pre-shared key). In the future, mount options can be added that
can provide this material on a per-mount basis.
Updates to mount.nfs (to support xprtsec=auto) and nfs(5) will be
sent under separate cover.
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Diffstat (limited to 'fs/nfs/client.c')
| -rw-r--r-- | fs/nfs/client.c | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/fs/nfs/client.c b/fs/nfs/client.c index 9bfdade0f6e6..d5441e60d7e1 100644 --- a/fs/nfs/client.c +++ b/fs/nfs/client.c @@ -463,6 +463,7 @@ void nfs_init_timeout_values(struct rpc_timeout *to, int proto, switch (proto) { case XPRT_TRANSPORT_TCP: + case XPRT_TRANSPORT_TCP_TLS: case XPRT_TRANSPORT_RDMA: if (retrans == NFS_UNSPEC_RETRANS) to->to_retries = NFS_DEF_TCP_RETRANS; @@ -515,6 +516,7 @@ int nfs_create_rpc_client(struct nfs_client *clp, .version = clp->rpc_ops->version, .authflavor = flavor, .cred = cl_init->cred, + .xprtsec = cl_init->xprtsec, }; if (test_bit(NFS_CS_DISCRTRY, &clp->cl_flags)) @@ -680,9 +682,7 @@ static int nfs_init_server(struct nfs_server *server, .cred = server->cred, .nconnect = ctx->nfs_server.nconnect, .init_flags = (1UL << NFS_CS_REUSEPORT), - .xprtsec = { - .policy = RPC_XPRTSEC_NONE, - }, + .xprtsec = ctx->xprtsec, }; struct nfs_client *clp; int error; |