From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp-out1.suse.de (smtp-out1.suse.de [195.135.223.130]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 19D21314A84 for ; Mon, 4 May 2026 08:21:57 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=195.135.223.130 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777882919; cv=none; b=ITnuhpYlc/cEGTyzMqzqJMBqcrfPqeIfSKO6HtFUdiFb9y3g5DJu7id2siuCL+4FpPgVYEGWtKG4ouSUcwfVuv+O08hgjapuy3O562KmckoBGgHOdrLiGJ4wwDbGBdcI8Z0N1Qe29ETnZCRhFxaXSWFpWJf3wmlMRSEfZXLdK5w= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777882919; c=relaxed/simple; bh=YYeSSO05Z8FpH5+OxXWTfRqF7HXicDPr8aCLrbyPOyM=; h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From: In-Reply-To:Content-Type; b=oK3RXs9gJ6AxEO1061g1JHjcdEfhcKNQOqbhwspc1eDRSq1XbDLSyxoRnaBLHV8KWIMBPiWhMDhjuK+/doamEBtRTAVwv1NyabP7Fvmfhu3aY0yUaY+w1EOpXlsPNmvl4q3AmyJ+qUDlOVITFjcekbexc5XXPPPhyuS5msowbIw= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=suse.de; spf=pass smtp.mailfrom=suse.de; dkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de header.b=Z5rdXn2i; dkim=permerror (0-bit key) header.d=suse.de header.i=@suse.de header.b=WMsa+mLv; dkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de header.b=Z5rdXn2i; dkim=permerror (0-bit key) header.d=suse.de header.i=@suse.de header.b=WMsa+mLv; arc=none smtp.client-ip=195.135.223.130 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=suse.de Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=suse.de Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de header.b="Z5rdXn2i"; dkim=permerror (0-bit key) header.d=suse.de header.i=@suse.de header.b="WMsa+mLv"; dkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de header.b="Z5rdXn2i"; dkim=permerror (0-bit key) header.d=suse.de header.i=@suse.de header.b="WMsa+mLv" Received: from imap1.dmz-prg2.suse.org (unknown [10.150.64.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out1.suse.de (Postfix) with ESMTPS id 52FF06AC92; Mon, 4 May 2026 08:21:56 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1777882916; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=UQ0Kyrk7mLKL1VOxGu3W8D7EYnYL/BArD4/XzEwRAmg=; b=Z5rdXn2i8B/6X/2ghcUzed1DIRt8Gt9dTPM163EhR+BeV7yC2AoRsW4kBBDgV0qBWfEPdf iRLZVosenWz5DQ0C5dx73WfPF9j03H0e2Iciq5eGOkpRmbvTMoUFPjCOLxWT6I7hxKW2x7 PEx68ChweheYXuS9nHrKbUZAg4+sva8= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1777882916; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=UQ0Kyrk7mLKL1VOxGu3W8D7EYnYL/BArD4/XzEwRAmg=; b=WMsa+mLv2Qqsqp74OYU9nWRPfnRR3jGKycVaLnnH3yKPc2K3T2vK5RtKK0SQsRI7jUNSQJ vu7k7/co+9WYcGAA== Authentication-Results: smtp-out1.suse.de; none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1777882916; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=UQ0Kyrk7mLKL1VOxGu3W8D7EYnYL/BArD4/XzEwRAmg=; b=Z5rdXn2i8B/6X/2ghcUzed1DIRt8Gt9dTPM163EhR+BeV7yC2AoRsW4kBBDgV0qBWfEPdf iRLZVosenWz5DQ0C5dx73WfPF9j03H0e2Iciq5eGOkpRmbvTMoUFPjCOLxWT6I7hxKW2x7 PEx68ChweheYXuS9nHrKbUZAg4+sva8= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1777882916; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=UQ0Kyrk7mLKL1VOxGu3W8D7EYnYL/BArD4/XzEwRAmg=; b=WMsa+mLv2Qqsqp74OYU9nWRPfnRR3jGKycVaLnnH3yKPc2K3T2vK5RtKK0SQsRI7jUNSQJ vu7k7/co+9WYcGAA== Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id 1F696593A3; Mon, 4 May 2026 08:21:56 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap1.dmz-prg2.suse.org with ESMTPSA id ygeQBiRX+GlLXQAAD6G6ig (envelope-from ); Mon, 04 May 2026 08:21:56 +0000 Message-ID: <166afad9-e0cd-4f66-908d-75999bd96243@suse.de> Date: Mon, 4 May 2026 10:21:51 +0200 Precedence: bulk X-Mailing-List: linux-nfs@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: Breakage in ktls-utils with nfs keyring? To: Sagi Grimberg , Chuck Lever , Scott Mayhew Cc: Chuck Lever , Linux NFS Mailing List , kernel-tls-handshake@lists.linux.dev References: <92a53963-1e4b-42eb-af81-6be9f63f9e43@app.fastmail.com> <7c6516be-adb9-4d0d-ba7c-fa107fd4a865@app.fastmail.com> <98a865cb-94e3-4f57-8b9e-0634c43098b9@app.fastmail.com> <2330c9c6-de7e-4cac-b991-3ffcfdc23858@grimberg.me> <7390cf6c-0f65-41f9-b5e6-4414417efa2c@grimberg.me> Content-Language: en-US From: Hannes Reinecke In-Reply-To: <7390cf6c-0f65-41f9-b5e6-4414417efa2c@grimberg.me> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Spam-Score: -3.30 X-Spam-Level: X-Spamd-Result: default: False [-3.30 / 50.00]; BAYES_HAM(-3.00)[100.00%]; SUBJECT_ENDS_QUESTION(1.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.20)[-1.000]; MIME_GOOD(-0.10)[text/plain]; MID_RHS_MATCH_FROM(0.00)[]; MIME_TRACE(0.00)[0:+]; ARC_NA(0.00)[]; FUZZY_RATELIMITED(0.00)[rspamd.com]; RCVD_VIA_SMTP_AUTH(0.00)[]; RCVD_TLS_ALL(0.00)[]; DKIM_SIGNED(0.00)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519]; URIBL_BLOCKED(0.00)[suse.de:mid,suse.de:email,imap1.dmz-prg2.suse.org:helo]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; RCPT_COUNT_FIVE(0.00)[6] X-Spam-Flag: NO On 5/4/26 10:02, Sagi Grimberg wrote: >>>> This is because handling an NVMe PSK in the keyring is a first-class, >>>> supported mechanism. Handling the x.509 certificate this way hasn't >>>> really been thought through. >>> What makes NVMe PSK more "supported" than x.509? >> Hannes contributed NVMe PSK in the beginning. IIUC PSK was the first >> authentication mode available for the NVMe/TCP protocol. I'm not sure >> we can say that x.509 is supported for our NVMe/TCP implementation, >> though that is something that should be made to work someday. > > That depends if NVMe standardizes x.509, I am no longer a member of > the TWG so I don't know, but I agree that it would be very nice to have. > Sadly, this has been shelved for now. There are no takers to move things forward. So we're stuck with PSK for the time being. Cheers, Hannes -- Dr. Hannes Reinecke Kernel Storage Architect hare@suse.de +49 911 74053 688 SUSE Software Solutions GmbH, Frankenstr. 146, 90461 Nürnberg HRB 36809 (AG Nürnberg), GF: I. Totev, A. McDonald, W. Knoblich