From: Jeff Layton <jlayton@kernel.org>
To: Chuck Lever <cel@kernel.org>,
Benjamin Coddington <bcodding@hammerspace.com>,
Chuck Lever <chuck.lever@oracle.com>,
NeilBrown <neil@brown.name>, Trond Myklebust <trondmy@kernel.org>,
Anna Schumaker <anna@kernel.org>,
Eric Biggers <ebiggers@kernel.org>,
Rick Macklem <rick.macklem@gmail.com>
Cc: linux-nfs@vger.kernel.org, linux-fsdevel@vger.kernel.org,
linux-crypto@vger.kernel.org
Subject: Re: [PATCH v1 2/4] nfsd: Add a key for signing filehandles
Date: Fri, 16 Jan 2026 10:25:11 -0500 [thread overview]
Message-ID: <3c5af19d8793c34022bde2cb7fcca1855d1ea080.camel@kernel.org> (raw)
In-Reply-To: <3fc1c84e-3f0b-4342-9034-93e7fb441756@app.fastmail.com>
On Fri, 2026-01-16 at 10:09 -0500, Chuck Lever wrote:
>
> On Fri, Jan 16, 2026, at 9:59 AM, Jeff Layton wrote:
> > On Fri, 2026-01-16 at 09:32 -0500, Benjamin Coddington wrote:
> > > Expand the nfsd_net to hold a siphash_key_t value "fh_key".
> > >
> > > Expand the netlink server interface to allow the setting of the 128-bit
> > > fh_key value to be used as a signing key for filehandles.
> > >
> > > Add a file to the nfsd filesystem to set and read the 128-bit key,
> > > formatted as a uuid.
> > >
> > > Signed-off-by: Benjamin Coddington <bcodding@hammerspace.com>
> > > ---
> > > Documentation/netlink/specs/nfsd.yaml | 12 ++++
> > > fs/nfsd/netlink.c | 15 +++++
> > > fs/nfsd/netlink.h | 1 +
> > > fs/nfsd/netns.h | 2 +
> > > fs/nfsd/nfsctl.c | 85 +++++++++++++++++++++++++++
> > > fs/nfsd/trace.h | 19 ++++++
> > > include/uapi/linux/nfsd_netlink.h | 2 +
> > > 7 files changed, 136 insertions(+)
> > >
> > > diff --git a/Documentation/netlink/specs/nfsd.yaml b/Documentation/netlink/specs/nfsd.yaml
> > > index badb2fe57c98..a467888cfa62 100644
> > > --- a/Documentation/netlink/specs/nfsd.yaml
> > > +++ b/Documentation/netlink/specs/nfsd.yaml
> > > @@ -81,6 +81,9 @@ attribute-sets:
> > > -
> > > name: min-threads
> > > type: u32
> > > + -
> > > + name: fh-key
> > > + type: binary
> > > -
> > > name: version
> > > attributes:
> > > @@ -227,3 +230,12 @@ operations:
> > > attributes:
> > > - mode
> > > - npools
> > > + -
> > > + name: fh-key-set
> > > + doc: set encryption key for filehandles
> > > + attribute-set: server
> > > + flags: [admin-perm]
> > > + do:
> > > + request:
> > > + attributes:
> > > + - fh-key
> >
> > Rather than a new netlink operation, I think we might be better served
> > with just sending the fh-key down as an optional attribute in the
> > "threads" op. It's a per-netns attribute anyway, and the threads
> > setting is handled similarly.
>
> Setting the FH key in the threads op seems awkward to me.
> Setting a key is optional, but you always set the thread
> count to start the server.
>
> Key setting is done once; whereas setting the thread count
> can be done many times during operation. It seems like it
> would be easy to mistakenly change the key when setting the
> thread count.
>
> From a "UI safety" perspective, a separate op makes sense
> to me.
>
I'm not convinced. We could easily vet that the key doesn't change when
changing the thread count, and either return an error or throw some
sort of warning and ignore the change.
My main thinking here is that you'd want to set up the key at startup
time and never change it, so if the server is already running you
probably want to reject key changes -- otherwise you may have already
given out some unencrypted handles.
If that's the case, then now you have to ensure you run the op to set
the key before issuing "threads".
Why deal with an ordering constraint like that? Optionally passing down
the key with "threads" means we handle it all in one shot.
> What feels a little strange though is where to store the
> key? I was thinking in /etc/exports, but that would make
> the FH key per-export rather than per-server instance.
>
> That gives a cryptographic benefit, as there would be
> more keying material. But maybe it doesn't make a lot of
> sense from a UX perspective.
>
> On the other hand, some might like to manage the key by
> storing it in a trusted compute module -- systemd has
> a facility to extract keys from a TCM.
>
Yeah, there are a lot of possibilities here. I like the idea of
scraping this out of the TPM, but that's not going to be possible
everywhere. We'll also need some alternate method of storing the key in
a secure way on the fs so that nfsdctl can get to it for hosts that
don't have a TPM.
--
Jeff Layton <jlayton@kernel.org>
next prev parent reply other threads:[~2026-01-16 15:25 UTC|newest]
Thread overview: 49+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-16 14:32 [PATCH v1 0/4] kNFSD Signed Filehandles Benjamin Coddington
2026-01-16 14:32 ` [PATCH v1 1/4] nfsd: Convert export flags to use BIT() macro Benjamin Coddington
2026-01-16 15:31 ` Chuck Lever
2026-01-16 15:35 ` Benjamin Coddington
2026-01-16 15:38 ` Chuck Lever
2026-01-16 15:39 ` Benjamin Coddington
2026-01-16 14:32 ` [PATCH v1 2/4] nfsd: Add a key for signing filehandles Benjamin Coddington
2026-01-16 14:59 ` Jeff Layton
2026-01-16 15:09 ` Chuck Lever
2026-01-16 15:18 ` Benjamin Coddington
2026-01-16 15:25 ` Jeff Layton [this message]
2026-01-16 15:45 ` Chuck Lever
2026-01-16 15:52 ` Jeff Layton
2026-01-16 16:17 ` Chuck Lever
2026-01-19 16:15 ` Benjamin Coddington
2026-01-16 16:11 ` Chuck Lever
2026-01-16 16:42 ` Benjamin Coddington
2026-01-16 19:55 ` Chuck Lever
2026-01-16 21:37 ` kernel test robot
2026-01-16 14:32 ` [PATCH v1 3/4] NFSD/export: Add sign_fh export option Benjamin Coddington
2026-01-16 16:26 ` Chuck Lever
2026-01-16 14:32 ` [PATCH v1 4/4] NFSD: Sign filehandles Benjamin Coddington
2026-01-16 17:12 ` Chuck Lever
2026-01-16 18:29 ` Benjamin Coddington
2026-01-16 22:47 ` kernel test robot
2026-01-16 16:56 ` [PATCH v1 0/4] kNFSD Signed Filehandles Chuck Lever
2026-01-16 17:17 ` Benjamin Coddington
2026-01-16 19:43 ` Chuck Lever
2026-01-16 20:03 ` Trond Myklebust
2026-01-16 20:11 ` Benjamin Coddington
2026-01-17 0:54 ` [PATCH v1 4/4] NFSD: Sign filehandles NeilBrown
2026-01-17 12:30 ` Benjamin Coddington
2026-01-17 1:24 ` [PATCH v1 0/4] kNFSD Signed Filehandles NeilBrown
2026-01-17 12:30 ` Benjamin Coddington
2026-01-19 4:24 ` NeilBrown
2026-01-19 9:14 ` Christian Brauner
2026-01-19 21:06 ` NeilBrown
2026-01-19 21:29 ` Jeff Layton
2026-01-19 22:58 ` NeilBrown
2026-01-20 9:23 ` Christian Brauner
2026-01-20 9:46 ` NeilBrown
2026-01-20 10:20 ` Christian Brauner
2026-01-20 10:28 ` NeilBrown
2026-01-20 10:37 ` Christian Brauner
2026-01-20 10:13 ` NeilBrown
2026-01-20 12:56 ` Benjamin Coddington
2026-01-20 10:55 ` Miklos Szeredi
2026-01-20 13:03 ` Benjamin Coddington
2026-01-20 14:44 ` Miklos Szeredi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3c5af19d8793c34022bde2cb7fcca1855d1ea080.camel@kernel.org \
--to=jlayton@kernel.org \
--cc=anna@kernel.org \
--cc=bcodding@hammerspace.com \
--cc=cel@kernel.org \
--cc=chuck.lever@oracle.com \
--cc=ebiggers@kernel.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-nfs@vger.kernel.org \
--cc=neil@brown.name \
--cc=rick.macklem@gmail.com \
--cc=trondmy@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox