From: Christoph Hellwig <hch@lst.de>
To: Chuck Lever <chuck.lever@oracle.com>,
Trond Myklebust <trondmy@kernel.org>
Cc: Anna Schumaker <anna@kernel.org>,
David Howells <dhowells@redhat.com>,
Jarkko Sakkinen <jarkko@kernel.org>,
linux-nfs@vger.kernel.org,
kernel-tls-handshake <kernel-tls-handshake@lists.linux.dev>,
keyrings@vger.kernel.org
Subject: [PATCH 2/2] nfs: create a kernel keyring
Date: Wed, 7 May 2025 10:09:41 +0200 [thread overview]
Message-ID: <20250507080944.3947782-3-hch@lst.de> (raw)
In-Reply-To: <20250507080944.3947782-1-hch@lst.de>
Create a kernel .nfs keyring similar to the nvme .nvme one. Unlike for
a userspace-created keyrind, tlshd is a possesor of the keys with this
and thus the keys don't need user read permissions.
Signed-off-by: Christoph Hellwig <hch@lst.de>
---
fs/nfs/inode.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/fs/nfs/inode.c b/fs/nfs/inode.c
index 119e447758b9..fb1fe1bdfe92 100644
--- a/fs/nfs/inode.c
+++ b/fs/nfs/inode.c
@@ -2571,6 +2571,8 @@ static struct pernet_operations nfs_net_ops = {
.size = sizeof(struct nfs_net),
};
+static struct key *nfs_keyring;
+
/*
* Initialize NFS
*/
@@ -2578,6 +2580,17 @@ static int __init init_nfs_fs(void)
{
int err;
+ if (IS_ENABLED(CONFIG_NFS_V4)) {
+ nfs_keyring = keyring_alloc(".nfs",
+ GLOBAL_ROOT_UID, GLOBAL_ROOT_GID,
+ current_cred(),
+ (KEY_POS_ALL & ~KEY_POS_SETATTR) |
+ (KEY_USR_ALL & ~KEY_USR_SETATTR),
+ KEY_ALLOC_NOT_IN_QUOTA, NULL, NULL);
+ if (IS_ERR(nfs_keyring))
+ return PTR_ERR(nfs_keyring);
+ }
+
err = nfs_sysfs_init();
if (err < 0)
goto out10;
@@ -2653,6 +2666,8 @@ static void __exit exit_nfs_fs(void)
nfs_fs_proc_exit();
nfsiod_stop();
nfs_sysfs_exit();
+ if (IS_ENABLED(CONFIG_NFS_V4))
+ key_put(nfs_keyring);
}
/* Not quite true; I just maintain it */
--
2.47.2
next prev parent reply other threads:[~2025-05-07 8:09 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-05-07 8:09 RFC: support keyrings for NFS TLS mounts Christoph Hellwig
2025-05-07 8:09 ` [PATCH 1/2] NFS: support the kernel keyring for TLS Christoph Hellwig
2025-05-07 14:48 ` Sagi Grimberg
2025-05-07 15:01 ` Chuck Lever
2025-05-08 8:07 ` kernel test robot
2025-05-07 8:09 ` Christoph Hellwig [this message]
2025-05-07 14:51 ` [PATCH 2/2] nfs: create a kernel keyring Sagi Grimberg
2025-05-08 9:42 ` kernel test robot
-- strict thread matches above, loose matches on Subject: below --
2025-05-15 11:50 support keyrings for NFS TLS mounts v2 Christoph Hellwig
2025-05-15 11:50 ` [PATCH 2/2] nfs: create a kernel keyring Christoph Hellwig
2025-05-16 11:47 ` Sagi Grimberg
2025-05-16 17:03 ` Jarkko Sakkinen
2025-05-17 9:45 ` Sagi Grimberg
2025-06-02 15:25 ` Christoph Hellwig
2025-06-04 16:42 ` Jarkko Sakkinen
2025-06-05 4:28 ` Christoph Hellwig
2025-06-06 16:47 ` Jarkko Sakkinen
2025-06-09 4:01 ` Christoph Hellwig
2025-06-09 21:28 ` Jarkko Sakkinen
2025-06-10 4:34 ` Christoph Hellwig
2025-05-17 18:39 ` kernel test robot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250507080944.3947782-3-hch@lst.de \
--to=hch@lst.de \
--cc=anna@kernel.org \
--cc=chuck.lever@oracle.com \
--cc=dhowells@redhat.com \
--cc=jarkko@kernel.org \
--cc=kernel-tls-handshake@lists.linux.dev \
--cc=keyrings@vger.kernel.org \
--cc=linux-nfs@vger.kernel.org \
--cc=trondmy@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox