From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C1117368283; Thu, 22 Jan 2026 17:03:55 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1769101435; cv=none; b=KH2upO/joZxZ/S7D2Xgnyzto2tlRWZ/mukW0MoZnxvrQPfIF/kTZJAu46/BDZDngwqYFA5gioxVxFk4ctXq3CEhwW4YW079rR2FA0ngy2a2ktx0aOD2UKY9ciuVKiuSpgX3UI5e/wDFkMlpAPYebFct7NAj9VZXWD9iKldbeMto= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1769101435; c=relaxed/simple; bh=5uYZIgtP95HcCcKjV89T1MqTRQb34dcfkIwmM8Z2DGo=; h=Message-ID:Subject:From:To:Cc:Date:In-Reply-To:References: Content-Type:MIME-Version; b=rK7L6P4H/LEW+guuPkpKXhXMUdLZZhSTOBFShWQTryltLp5me6O2iiRsAZVPe4lp4IFQbmYAeeWAkq/5+gTrprfA/biB/ElTkO53hOuJO5QNp8ITQe9PwjY9mjErJavPFuK/9edIzyNcuHPgUNvLbXu/EYmQoNPEK8XmMmI8Miw= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=e8sSWo0X; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="e8sSWo0X" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 34C69C116D0; Thu, 22 Jan 2026 17:03:53 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1769101434; bh=5uYZIgtP95HcCcKjV89T1MqTRQb34dcfkIwmM8Z2DGo=; h=Subject:From:To:Cc:Date:In-Reply-To:References:From; b=e8sSWo0XTTpZ+e+dMS5rSKHGP5z+Mpe0JAWFubZTiuxmd3jueOkxdgT8fCLxN5ZjH 0ZsfzB/oPVJtZQggTEdH280gThRHUCmW9ePnig9UA2c+iyRpu7jjqMOmx6oa5XUX9c K/drpSlczX5tNh92iRLwxc6Y5+8+4fhdD8IZt/I2YKpG2BNjbi1nBRXdiqRIKHO92G 6bfMcbrFWJmOhFrsmhCjJAxCCkn4M2uw2VfrY6kxgPTDmroNLa8cbZqCmxwgkcUuOa 3MWkQD02RiDG221Lq3odArrmCdCKSDwn3kqI6f1iTcEa1eM7XRkloqXByjkFteRIHu LiecZfiDH/vFw== Message-ID: Subject: Re: [PATCH v2 2/3] NFSD/export: Add sign_fh export option From: Jeff Layton To: Benjamin Coddington Cc: Chuck Lever , NeilBrown , Trond Myklebust , Anna Schumaker , Eric Biggers , Rick Macklem , linux-nfs@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-crypto@vger.kernel.org Date: Thu, 22 Jan 2026 12:03:51 -0500 In-Reply-To: References: <7202a379d564fc1be6d2bfbf4da85c40418d9b07.1769026777.git.bcodding@hammerspace.com> <801018d9115ea8abb214eaa74d5000c6f7f758a4.camel@kernel.org> <0597653E-1984-4D2B-9A47-9BAE3A8E7A8B@hammerspace.com> <29da00c72005812ca83954e8f2af91248b5bffe4.camel@kernel.org> Autocrypt: addr=jlayton@kernel.org; prefer-encrypt=mutual; keydata=mQINBE6V0TwBEADXhJg7s8wFDwBMEvn0qyhAnzFLTOCHooMZyx7XO7dAiIhDSi7G1NPxw n8jdFUQMCR/GlpozMFlSFiZXiObE7sef9rTtM68ukUyZM4pJ9l0KjQNgDJ6Fr342Htkjxu/kFV1Wv egyjnSsFt7EGoDjdKqr1TS9syJYFjagYtvWk/UfHlW09X+jOh4vYtfX7iYSx/NfqV3W1D7EDi0PqV T2h6v8i8YqsATFPwO4nuiTmL6I40ZofxVd+9wdRI4Db8yUNA4ZSP2nqLcLtFjClYRBoJvRWvsv4lm 0OX6MYPtv76hka8lW4mnRmZqqx3UtfHX/hF/zH24Gj7A6sYKYLCU3YrI2Ogiu7/ksKcl7goQjpvtV YrOOI5VGLHge0awt7bhMCTM9KAfPc+xL/ZxAMVWd3NCk5SamL2cE99UWgtvNOIYU8m6EjTLhsj8sn VluJH0/RcxEeFbnSaswVChNSGa7mXJrTR22lRL6ZPjdMgS2Km90haWPRc8Wolcz07Y2se0xpGVLEQ cDEsvv5IMmeMe1/qLZ6NaVkNuL3WOXvxaVT9USW1+/SGipO2IpKJjeDZfehlB/kpfF24+RrK+seQf CBYyUE8QJpvTZyfUHNYldXlrjO6n5MdOempLqWpfOmcGkwnyNRBR46g/jf8KnPRwXs509yAqDB6sE LZH+yWr9LQZEwARAQABtCVKZWZmIExheXRvbiA8amxheXRvbkBwb29jaGllcmVkcy5uZXQ+iQI7BB MBAgAlAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAUCTpXWPAIZAQAKCRAADmhBGVaCFc65D/4 gBLNMHopQYgG/9RIM3kgFCCQV0pLv0hcg1cjr+bPI5f1PzJoOVi9s0wBDHwp8+vtHgYhM54yt43uI 7Htij0RHFL5eFqoVT4TSfAg2qlvNemJEOY0e4daljjmZM7UtmpGs9NN0r9r50W82eb5Kw5bc/r0km R/arUS2st+ecRsCnwAOj6HiURwIgfDMHGPtSkoPpu3DDp/cjcYUg3HaOJuTjtGHFH963B+f+hyQ2B rQZBBE76ErgTDJ2Db9Ey0kw7VEZ4I2nnVUY9B5dE2pJFVO5HJBMp30fUGKvwaKqYCU2iAKxdmJXRI ONb7dSde8LqZahuunPDMZyMA5+mkQl7kpIpR6kVDIiqmxzRuPeiMP7O2FCUlS2DnJnRVrHmCljLkZ Wf7ZUA22wJpepBligemtSRSbqCyZ3B48zJ8g5B8xLEntPo/NknSJaYRvfEQqGxgk5kkNWMIMDkfQO lDSXZvoxqU9wFH/9jTv1/6p8dHeGM0BsbBLMqQaqnWiVt5mG92E1zkOW69LnoozE6Le+12DsNW7Rj iR5K+27MObjXEYIW7FIvNN/TQ6U1EOsdxwB8o//Yfc3p2QqPr5uS93SDDan5ehH59BnHpguTc27Xi QQZ9EGiieCUx6Zh2ze3X2UW9YNzE15uKwkkuEIj60NvQRmEDfweYfOfPVOueC+iFifbQgSmVmZiBM YXl0b24gPGpsYXl0b25AcmVkaGF0LmNvbT6JAjgEEwECACIFAk6V0q0CGwMGCwkIBwMCBhUIAgkKC wQWAgMBAh4BAheAAAoJEAAOaEEZVoIViKUQALpvsacTMWWOd7SlPFzIYy2/fjvKlfB/Xs4YdNcf9q LqF+lk2RBUHdR/dGwZpvw/OLmnZ8TryDo2zXVJNWEEUFNc7wQpl3i78r6UU/GUY/RQmOgPhs3epQC 3PMJj4xFx+VuVcf/MXgDDdBUHaCTT793hyBeDbQuciARDJAW24Q1RCmjcwWIV/pgrlFa4lAXsmhoa c8UPc82Ijrs6ivlTweFf16VBc4nSLX5FB3ls7S5noRhm5/Zsd4PGPgIHgCZcPgkAnU1S/A/rSqf3F LpU+CbVBDvlVAnOq9gfNF+QiTlOHdZVIe4gEYAU3CUjbleywQqV02BKxPVM0C5/oVjMVx3bri75n1 TkBYGmqAXy9usCkHIsG5CBHmphv9MHmqMZQVsxvCzfnI5IO1+7MoloeeW/lxuyd0pU88dZsV/riHw 87i2GJUJtVlMl5IGBNFpqoNUoqmvRfEMeXhy/kUX4Xc03I1coZIgmwLmCSXwx9MaCPFzV/dOOrju2 xjO+2sYyB5BNtxRqUEyXglpujFZqJxxau7E0eXoYgoY9gtFGsspzFkVNntamVXEWVVgzJJr/EWW0y +jNd54MfPRqH+eCGuqlnNLktSAVz1MvVRY1dxUltSlDZT7P2bUoMorIPu8p7ZCg9dyX1+9T6Muc5d Hxf/BBP/ir+3e8JTFQBFOiLNdFtB9KZWZmIExheXRvbiA8amxheXRvbkBzYW1iYS5vcmc+iQI4BBM BAgAiBQJOldK9AhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRAADmhBGVaCFWgWD/0ZRi4h N9FK2BdQs9RwNnFZUr7JidAWfCrs37XrA/56olQl3ojn0fQtrP4DbTmCuh0SfMijB24psy1GnkPep naQ6VRf7Dxg/Y8muZELSOtsv2CKt3/02J1BBitrkkqmHyni5fLLYYg6fub0T/8Kwo1qGPdu1hx2BQ RERYtQ/S5d/T0cACdlzi6w8rs5f09hU9Tu4qV1JLKmBTgUWKN969HPRkxiojLQziHVyM/weR5Reu6 FZVNuVBGqBD+sfk/c98VJHjsQhYJijcsmgMb1NohAzwrBKcSGKOWJToGEO/1RkIN8tqGnYNp2G+aR 685D0chgTl1WzPRM6mFG1+n2b2RR95DxumKVpwBwdLPoCkI24JkeDJ7lXSe3uFWISstFGt0HL8Eew P8RuGC8s5h7Ct91HMNQTbjgA+Vi1foWUVXpEintAKgoywaIDlJfTZIl6Ew8ETN/7DLy8bXYgq0Xzh aKg3CnOUuGQV5/nl4OAX/3jocT5Cz/OtAiNYj5mLPeL5z2ZszjoCAH6caqsF2oLyAnLqRgDgR+wTQ T6gMhr2IRsl+cp8gPHBwQ4uZMb+X00c/Amm9VfviT+BI7B66cnC7Zv6Gvmtu2rEjWDGWPqUgccB7h dMKnKDthkA227/82tYoFiFMb/NwtgGrn5n2vwJyKN6SEoygGrNt0SI84y6hEVbQlSmVmZiBMYXl0b 24gPGpsYXl0b25AcHJpbWFyeWRhdGEuY29tPokCOQQTAQIAIwUCU4xmKQIbAwcLCQgHAwIBBhUIAg kKCwQWAgMBAh4BAheAAAoJEAAOaEEZVoIV1H0P/j4OUTwFd7BBbpoSp695qb6HqCzWMuExsp8nZjr uymMaeZbGr3OWMNEXRI1FWNHMtcMHWLP/RaDqCJil28proO+PQ/yPhsr2QqJcW4nr91tBrv/MqItu AXLYlsgXqp4BxLP67bzRJ1Bd2x0bWXurpEXY//VBOLnODqThGEcL7jouwjmnRh9FTKZfBDpFRaEfD FOXIfAkMKBa/c9TQwRpx2DPsl3eFWVCNuNGKeGsirLqCxUg5kWTxEorROppz9oU4HPicL6rRH22Ce 6nOAON2vHvhkUuO3GbffhrcsPD4DaYup4ic+DxWm+DaSSRJ+e1yJvwi6NmQ9P9UAuLG93S2MdNNbo sZ9P8k2mTOVKMc+GooI9Ve/vH8unwitwo7ORMVXhJeU6Q0X7zf3SjwDq2lBhn1DSuTsn2DbsNTiDv qrAaCvbsTsw+SZRwF85eG67eAwouYk+dnKmp1q57LDKMyzysij2oDKbcBlwB/TeX16p8+LxECv51a sjS9TInnipssssUDrHIvoTTXWcz7Y5wIngxDFwT8rPY3EggzLGfK5Zx2Q5S/N0FfmADmKknG/D8qG IcJE574D956tiUDKN4I+/g125ORR1v7bP+OIaayAvq17RP+qcAqkxc0x8iCYVCYDouDyNvWPGRhbL UO7mlBpjW9jK9e2fvZY9iw3QzIPGKtClKZWZmIExheXRvbiA8amVmZi5sYXl0b25AcHJpbWFyeWRh dGEuY29tPokCOQQTAQIAIwUCU4xmUAIbAwcLCQgHAwIBBhUIAgkKCwQWAgMBAh4BAheAAAoJEAAOa EEZVoIVzJoQALFCS6n/FHQS+hIzHIb56JbokhK0AFqoLVzLKzrnaeXhE5isWcVg0eoV2oTScIwUSU apy94if69tnUo4Q7YNt8/6yFM6hwZAxFjOXR0ciGE3Q+Z1zi49Ox51yjGMQGxlakV9ep4sV/d5a50 M+LFTmYSAFp6HY23JN9PkjVJC4PUv5DYRbOZ6Y1+TfXKBAewMVqtwT1Y+LPlfmI8dbbbuUX/kKZ5d dhV2736fgyfpslvJKYl0YifUOVy4D1G/oSycyHkJG78OvX4JKcf2kKzVvg7/Rnv+AueCfFQ6nGwPn 0P91I7TEOC4XfZ6a1K3uTp4fPPs1Wn75X7K8lzJP/p8lme40uqwAyBjk+IA5VGd+CVRiyJTpGZwA0 jwSYLyXboX+Dqm9pSYzmC9+/AE7lIgpWj+3iNisp1SWtHc4pdtQ5EU2SEz8yKvDbD0lNDbv4ljI7e flPsvN6vOrxz24mCliEco5DwhpaaSnzWnbAPXhQDWb/lUgs/JNk8dtwmvWnqCwRqElMLVisAbJmC0 BhZ/Ab4sph3EaiZfdXKhiQqSGdK4La3OTJOJYZphPdGgnkvDV9Pl1QZ0ijXQrVIy3zd6VCNaKYq7B AKidn5g/2Q8oio9Tf4XfdZ9dtwcB+bwDJFgvvDYaZ5bI3ln4V3EyW5i2NfXazz/GA/I/ZtbsigCFc 8ftCBKZWZmIExheXRvbiA8amxheXRvbkBrZXJuZWwub3JnPokCOAQTAQIAIgUCWe8u6AIbAwYLCQg HAwIGFQgCCQoLBBYCAwECHgECF4AACgkQAA5oQRlWghUuCg/+Lb/xGxZD2Q1oJVAE37uW308UpVSD 2tAMJUvFTdDbfe3zKlPDTuVsyNsALBGclPLagJ5ZTP+Vp2irAN9uwBuacBOTtmOdz4ZN2tdvNgozz uxp4CHBDVzAslUi2idy+xpsp47DWPxYFIRP3M8QG/aNW052LaPc0cedYxp8+9eiVUNpxF4SiU4i9J DfX/sn9XcfoVZIxMpCRE750zvJvcCUz9HojsrMQ1NFc7MFT1z3MOW2/RlzPcog7xvR5ENPH19ojRD CHqumUHRry+RF0lH00clzX/W8OrQJZtoBPXv9ahka/Vp7kEulcBJr1cH5Wz/WprhsIM7U9pse1f1g Yy9YbXtWctUz8uvDR7shsQxAhX3qO7DilMtuGo1v97I/Kx4gXQ52syh/w6EBny71CZrOgD6kJwPVV AaM1LRC28muq91WCFhs/nzHozpbzcheyGtMUI2Ao4K6mnY+3zIuXPygZMFr9KXE6fF7HzKxKuZMJO aEZCiDOq0anx6FmOzs5E6Jqdpo/mtI8beK+BE7Va6ni7YrQlnT0i3vaTVMTiCThbqsB20VrbMjlhp f8lfK1XVNbRq/R7GZ9zHESlsa35ha60yd/j3pu5hT2xyy8krV8vGhHvnJ1XRMJBAB/UYb6FyC7S+m QZIQXVeAA+smfTT0tDrisj1U5x6ZB9b3nBg65kc= Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable User-Agent: Evolution 3.58.2 (3.58.2-1.fc43) Precedence: bulk X-Mailing-List: linux-crypto@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 On Thu, 2026-01-22 at 11:54 -0500, Benjamin Coddington wrote: > On 22 Jan 2026, at 11:50, Jeff Layton wrote: >=20 > > On Thu, 2026-01-22 at 11:31 -0500, Benjamin Coddington wrote: > > > On 22 Jan 2026, at 11:02, Jeff Layton wrote: > > >=20 > > > > On Wed, 2026-01-21 at 15:24 -0500, Benjamin Coddington wrote: > > > > > In order to signal that filehandles on this export should be sign= ed, add a > > > > > "sign_fh" export option. Filehandle signing can help the server = defend > > > > > against certain filehandle guessing attacks. > > > > >=20 > > > > > Setting the "sign_fh" export option sets NFSEXP_SIGN_FH. In a fu= ture patch > > > > > NFSD uses this signal to append a MAC onto filehandles for that e= xport. > > > > >=20 > > > > > While we're in here, tidy a few stray expflags to more closely al= ign to the > > > > > export flag order. > > > > >=20 > > > > > Link: https://lore.kernel.org/linux-nfs/cover.1769026777.git.bcod= ding@hammerspace.com > > > > > Signed-off-by: Benjamin Coddington > > > > > --- > > > > > fs/nfsd/export.c | 5 +++-- > > > > > include/uapi/linux/nfsd/export.h | 4 ++-- > > > > > 2 files changed, 5 insertions(+), 4 deletions(-) > > > > >=20 > > > > > diff --git a/fs/nfsd/export.c b/fs/nfsd/export.c > > > > > index 2a1499f2ad19..19c7a91c5373 100644 > > > > > --- a/fs/nfsd/export.c > > > > > +++ b/fs/nfsd/export.c > > > > > @@ -1349,13 +1349,14 @@ static struct flags { > > > > > { NFSEXP_ASYNC, {"async", "sync"}}, > > > > > { NFSEXP_GATHERED_WRITES, {"wdelay", "no_wdelay"}}, > > > > > { NFSEXP_NOREADDIRPLUS, {"nordirplus", ""}}, > > > > > + { NFSEXP_SECURITY_LABEL, {"security_label", ""}}, > > > > > + { NFSEXP_SIGN_FH, {"sign_fh", ""}}, > > > > > { NFSEXP_NOHIDE, {"nohide", ""}}, > > > > > - { NFSEXP_CROSSMOUNT, {"crossmnt", ""}}, > > > > > { NFSEXP_NOSUBTREECHECK, {"no_subtree_check", ""}}, > > > > > { NFSEXP_NOAUTHNLM, {"insecure_locks", ""}}, > > > > > + { NFSEXP_CROSSMOUNT, {"crossmnt", ""}}, > > > > > { NFSEXP_V4ROOT, {"v4root", ""}}, > > > > > { NFSEXP_PNFS, {"pnfs", ""}}, > > > > > - { NFSEXP_SECURITY_LABEL, {"security_label", ""}}, > > > > > { 0, {"", ""}} > > > > > }; > > > > >=20 > > > > > diff --git a/include/uapi/linux/nfsd/export.h b/include/uapi/linu= x/nfsd/export.h > > > > > index a73ca3703abb..de647cf166c3 100644 > > > > > --- a/include/uapi/linux/nfsd/export.h > > > > > +++ b/include/uapi/linux/nfsd/export.h > > > > > @@ -34,7 +34,7 @@ > > > > > #define NFSEXP_GATHERED_WRITES 0x0020 > > > > > #define NFSEXP_NOREADDIRPLUS 0x0040 > > > > > #define NFSEXP_SECURITY_LABEL 0x0080 > > > > > -/* 0x100 currently unused */ > > > > > +#define NFSEXP_SIGN_FH 0x0100 > > > > > #define NFSEXP_NOHIDE 0x0200 > > > > > #define NFSEXP_NOSUBTREECHECK 0x0400 > > > > > #define NFSEXP_NOAUTHNLM 0x0800 /* Don't authenticate NLM reque= sts - just trust */ > > > > > @@ -55,7 +55,7 @@ > > > > > #define NFSEXP_PNFS 0x20000 > > > > >=20 > > > > > /* All flags that we claim to support. (Note we don't support N= OACL.) */ > > > > > -#define NFSEXP_ALLFLAGS 0x3FEFF > > > > > +#define NFSEXP_ALLFLAGS 0x3FFFF > > > > >=20 > > > > > /* The flags that may vary depending on security flavor: */ > > > > > #define NFSEXP_SECINFO_FLAGS (NFSEXP_READONLY | NFSEXP_ROOTSQUAS= H \ > > > >=20 > > > > One thing that needs to be understood and documented is how things = will > > > > behave when this flag changes. For instance: > > > >=20 > > > > Support we start with sign_fh enabled, and client gets a signed > > > > filehandle. The server then reboots and the export options change s= uch > > > > that sign_fh is disabled. What happens when the client tries to pre= sent > > > > that fh to the server? Does it ignore the signature (since sign_fh = is > > > > now disabled), or does it reject the filehandle because it's not > > > > expecting a signature? > > >=20 > > > That's great question - right now it will first look up the export, s= ee that > > > NFSEXP_SIGN_FH is not set, then bypass verifying (and truncating) the= MAC > > > from the end of the filehadle before sending the filehandle off to ex= portfs > > > - the end result will be will be -ESTALE. > > >=20 > > > Would it be a good idea to allow the server to see that the filehandl= e has > > > FH_AT_MAC set, and just trim off the MAC without verifying it? That = would > > > allow the signed fh to still function on that export. > > >=20 > > > Might need to audit the cases where fh_match() is used in that case, = or make > > > fh_match() signed-aware. I'm less familiar with those cases, but I c= an look > > > into them. > > >=20 > >=20 > > No, I think -ESTALE is fine in this situation. I don't think we need to > > go to any great lengths to make this scenario actually work. We just > > need to understand what happens if it does, and make sure that it's > > documented. >=20 > Got it - I will document this behavior in the commit message of the last > patch on the next posting. I think I'll probably also add a check for th= is > case -- no need to send the filehandle off to the filesystems if we know = its > going to fail to resolve to a dentry. >=20 Consider adding a new section in Documentation/filesystems/nfs/exporting.rst. Commit messages will be harder to dig out years from now. --=20 Jeff Layton