From patchwork Wed Mar 29 14:08:12 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Chuck Lever X-Patchwork-Id: 13192482 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 23241C6FD18 for ; Wed, 29 Mar 2023 14:09:30 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229825AbjC2OJ3 (ORCPT ); Wed, 29 Mar 2023 10:09:29 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43888 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229674AbjC2OJ0 (ORCPT ); Wed, 29 Mar 2023 10:09:26 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A8CFC4C17 for ; Wed, 29 Mar 2023 07:08:18 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 228B9B8232D for ; Wed, 29 Mar 2023 14:08:15 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 805B1C433D2; Wed, 29 Mar 2023 14:08:13 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1680098893; bh=WYIMfd7jDC+1GWpf5JZKzZffLjkpVi2BsA57sgKUkjY=; h=Subject:From:To:Cc:Date:In-Reply-To:References:From; b=AvQW4Nn1fCfqSVF7u9GfgLIoL6xSVQPOSkGz8TtmPQioOrZ9poCkNhDDchINHLZ8h UcL4z48ePjAHiQk8hurbGF8GzOMCZC8fvZPEDbkB89G+IBvGmLr6XTB/XH7RKYhpyd cSvroNS6WDtkNa3no5JG+pIJLpscOgu/dHW6BNQRnY2aI/FMdCtcnzdRAi680nrML1 ghXpMEF+Z2vXNafokkIQDmknFyEQ1+hgi86G8g8OKc5E50eNJxw/oGni8pTaMYUxFz VPzmEP3Lf7XfKNK6MbKphge+QRN6HZjmSET/Dzt2O9eQBYvydTQuEXGANqstWk6B/V 30xXz1CnueIQA== Subject: [PATCH v2 1/4] libexports: Fix whitespace damage in support/nfs/exports.c From: Chuck Lever To: SteveD@redhat.com Cc: linux-nfs@vger.kernel.org, rick.macklem@gmail.com, kernel-tls-handshake@lists.linux.dev Date: Wed, 29 Mar 2023 10:08:12 -0400 Message-ID: <168009889255.2522.14900308408258808762.stgit@manet.1015granger.net> In-Reply-To: <168009806320.2522.10415374334827613451.stgit@manet.1015granger.net> References: <168009806320.2522.10415374334827613451.stgit@manet.1015granger.net> User-Agent: StGit/1.5 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-nfs@vger.kernel.org From: Chuck Lever Clean up. Signed-off-by: Chuck Lever --- support/nfs/exports.c | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/support/nfs/exports.c b/support/nfs/exports.c index 2c8f0752ad9d..7f12383981c3 100644 --- a/support/nfs/exports.c +++ b/support/nfs/exports.c @@ -122,7 +122,7 @@ getexportent(int fromkernel, int fromexports) if (first || (ok = getexport(exp, sizeof(exp))) == 0) { has_default_opts = 0; has_default_subtree_opts = 0; - + init_exportent(&def_ee, fromkernel); ok = getpath(def_ee.e_path, sizeof(def_ee.e_path)); @@ -146,7 +146,7 @@ getexportent(int fromkernel, int fromexports) if (exp[0] == '-' && !fromkernel) { if (parseopts(exp + 1, &def_ee, 0, &has_default_subtree_opts) < 0) return NULL; - + has_default_opts = 1; ok = getexport(exp, sizeof(exp)); @@ -239,7 +239,6 @@ void secinfo_show(FILE *fp, struct exportent *ep) if (ep->e_secinfo[0].flav == NULL) secinfo_addflavor(find_flavor("sys"), ep); for (p1=ep->e_secinfo; p1->flav; p1=p2) { - fprintf(fp, ",sec=%s", p1->flav->flavour); for (p2=p1+1; (p2->flav != NULL) && (p1->flags == p2->flags); p2++) { @@ -621,7 +620,7 @@ parseopts(char *cp, struct exportent *ep, int warn, int *had_subtree_opt_ptr) ep->e_anonuid = strtol(opt+8, &oe, 10); if (opt[8]=='\0' || *oe != '\0') { xlog(L_ERROR, "%s: %d: bad anonuid \"%s\"\n", - flname, flline, opt); + flname, flline, opt); bad_option: free(opt); return -1; @@ -631,7 +630,7 @@ bad_option: ep->e_anongid = strtol(opt+8, &oe, 10); if (opt[8]=='\0' || *oe != '\0') { xlog(L_ERROR, "%s: %d: bad anongid \"%s\"\n", - flname, flline, opt); + flname, flline, opt); goto bad_option; } } else if (strncmp(opt, "squash_uids=", 12) == 0) { @@ -649,13 +648,13 @@ bad_option: setflags(NFSEXP_FSID, active, ep); } else { ep->e_fsid = strtoul(opt+5, &oe, 0); - if (opt[5]!='\0' && *oe == '\0') + if (opt[5]!='\0' && *oe == '\0') setflags(NFSEXP_FSID, active, ep); else if (valid_uuid(opt+5)) ep->e_uuid = strdup(opt+5); else { xlog(L_ERROR, "%s: %d: bad fsid \"%s\"\n", - flname, flline, opt); + flname, flline, opt); goto bad_option; } } @@ -709,7 +708,7 @@ out: if (warn && !had_subtree_opt) xlog(L_WARNING, "%s [%d]: Neither 'subtree_check' or 'no_subtree_check' specified for export \"%s:%s\".\n" " Assuming default behaviour ('no_subtree_check').\n" - " NOTE: this default has changed since nfs-utils version 1.0.x\n", + " NOTE: this default has changed since nfs-utils version 1.0.x\n", flname, flline, ep->e_hostname, ep->e_path); From patchwork Wed Mar 29 14:08:19 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Chuck Lever X-Patchwork-Id: 13192484 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3526BC74A5B for ; Wed, 29 Mar 2023 14:09:43 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229768AbjC2OJm (ORCPT ); Wed, 29 Mar 2023 10:09:42 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44180 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229704AbjC2OJl (ORCPT ); Wed, 29 Mar 2023 10:09:41 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B8CD44C3F for ; Wed, 29 Mar 2023 07:08:46 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id A2815B82337 for ; Wed, 29 Mar 2023 14:08:21 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id E61BEC433EF; Wed, 29 Mar 2023 14:08:19 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1680098900; bh=IChDhiFbmd2EIGA90wuR0AhiQq4qrUAIgvKqgbwXdOI=; h=Subject:From:To:Cc:Date:In-Reply-To:References:From; b=PWUfqbkkOj0nQvNYanF9GlqHZZrJ4NtD8bpK0JYqhpcbNyxY6hqjnmUg2mJ0asf5P k9im8MwN5eakKXuqoqfMvPHN0iwjdhYix2k7L4/lGXsGZAz4G28hLE7XUihvzX2DdZ ZgOQ1G8utnhRto7EbH3W+pBy56TEk7Vjk+UpFbl4sQ0bChC+34IHdsQsuYBbsgXmP3 j+i7DayT9hqluapS1sQvqUUNxpmS6jm/B1Zy8dmbZCblZOr7zenmIifKmR1U+sSJ3r QnNKJC7mDLDIDhu/t7FJiPccYReAa0x2GPyCOcahVRqDfDaH2zBw0bf2gGMB2QVM2H 7q6aEYrf0oZtA== Subject: [PATCH v2 2/4] exports: Add an xprtsec= export option From: Chuck Lever To: SteveD@redhat.com Cc: linux-nfs@vger.kernel.org, rick.macklem@gmail.com, kernel-tls-handshake@lists.linux.dev Date: Wed, 29 Mar 2023 10:08:19 -0400 Message-ID: <168009889899.2522.2402192914493543037.stgit@manet.1015granger.net> In-Reply-To: <168009806320.2522.10415374334827613451.stgit@manet.1015granger.net> References: <168009806320.2522.10415374334827613451.stgit@manet.1015granger.net> User-Agent: StGit/1.5 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-nfs@vger.kernel.org From: Chuck Lever The overall goal is to enable administrators to require the use of transport layer security when clients access particular exports. This patch adds support to exportfs to parse, display, and push into the kernel a new xprtsec= export option. Signed-off-by: Chuck Lever --- support/export/cache.c | 15 +++++++ support/include/nfs/export.h | 14 +++++++ support/include/nfslib.h | 14 +++++++ support/nfs/exports.c | 85 ++++++++++++++++++++++++++++++++++++++++++ utils/exportfs/exportfs.c | 1 5 files changed, 129 insertions(+) diff --git a/support/export/cache.c b/support/export/cache.c index 2497d4f48df3..9354f71db894 100644 --- a/support/export/cache.c +++ b/support/export/cache.c @@ -932,6 +932,7 @@ static void write_fsloc(char **bp, int *blen, struct exportent *ep) release_replicas(servers); } #endif + static void write_secinfo(char **bp, int *blen, struct exportent *ep, int flag_mask) { struct sec_entry *p; @@ -949,7 +950,20 @@ static void write_secinfo(char **bp, int *blen, struct exportent *ep, int flag_m qword_addint(bp, blen, p->flav->fnum); qword_addint(bp, blen, p->flags & flag_mask); } +} + +static void write_xprtsec(char **bp, int *blen, struct exportent *ep) +{ + struct xprtsec_entry *p; + + for (p = ep->e_xprtsec; p->info; p++); + if (p == ep->e_xprtsec) + return; + qword_add(bp, blen, "xprtsec"); + qword_addint(bp, blen, p - ep->e_xprtsec); + for (p = ep->e_xprtsec; p->info; p++) + qword_addint(bp, blen, p->info->number); } static int dump_to_cache(int f, char *buf, int blen, char *domain, @@ -992,6 +1006,7 @@ static int dump_to_cache(int f, char *buf, int blen, char *domain, qword_add(&bp, &blen, "uuid"); qword_addhex(&bp, &blen, u, 16); } + write_xprtsec(&bp, &blen, exp); xlog(D_AUTH, "granted access to %s for %s", path, *domain == '$' ? domain+1 : domain); } else { diff --git a/support/include/nfs/export.h b/support/include/nfs/export.h index 0eca828ee3ad..be5867cffc3c 100644 --- a/support/include/nfs/export.h +++ b/support/include/nfs/export.h @@ -40,4 +40,18 @@ #define NFSEXP_OLD_SECINFO_FLAGS (NFSEXP_READONLY | NFSEXP_ROOTSQUASH \ | NFSEXP_ALLSQUASH) +/* + * Transport layer security policies that are permitted to access + * an export + */ +#define NFSEXP_XPRTSEC_NONE 0x0001 +#define NFSEXP_XPRTSEC_TLS 0x0002 +#define NFSEXP_XPRTSEC_MTLS 0x0004 + +#define NFSEXP_XPRTSEC_NUM (3) + +#define NFSEXP_XPRTSEC_ALL (NFSEXP_XPRTSEC_NONE | \ + NFSEXP_XPRTSEC_TLS | \ + NFSEXP_XPRTSEC_MTLS) + #endif /* _NSF_EXPORT_H */ diff --git a/support/include/nfslib.h b/support/include/nfslib.h index 6faba71bf0cd..61c19933ae01 100644 --- a/support/include/nfslib.h +++ b/support/include/nfslib.h @@ -62,6 +62,18 @@ struct sec_entry { int flags; }; +#define XPRTSECMODE_COUNT 3 + +struct xprtsec_info { + const char *name; + int number; +}; + +struct xprtsec_entry { + const struct xprtsec_info *info; + int flags; +}; + /* * Data related to a single exports entry as returned by getexportent. * FIXME: export options should probably be parsed at a later time to @@ -83,6 +95,7 @@ struct exportent { char * e_fslocdata; char * e_uuid; struct sec_entry e_secinfo[SECFLAVOR_COUNT+1]; + struct xprtsec_entry e_xprtsec[XPRTSECMODE_COUNT + 1]; unsigned int e_ttl; char * e_realpath; }; @@ -99,6 +112,7 @@ struct rmtabent { void setexportent(char *fname, char *type); struct exportent * getexportent(int,int); void secinfo_show(FILE *fp, struct exportent *ep); +void xprtsecinfo_show(FILE *fp, struct exportent *ep); void putexportent(struct exportent *xep); void endexportent(void); struct exportent * mkexportent(char *hname, char *path, char *opts); diff --git a/support/nfs/exports.c b/support/nfs/exports.c index 7f12383981c3..da8ace3a65fd 100644 --- a/support/nfs/exports.c +++ b/support/nfs/exports.c @@ -99,6 +99,7 @@ static void init_exportent (struct exportent *ee, int fromkernel) ee->e_fslocmethod = FSLOC_NONE; ee->e_fslocdata = NULL; ee->e_secinfo[0].flav = NULL; + ee->e_xprtsec[0].info = NULL; ee->e_nsquids = 0; ee->e_nsqgids = 0; ee->e_uuid = NULL; @@ -248,6 +249,17 @@ void secinfo_show(FILE *fp, struct exportent *ep) } } +void xprtsecinfo_show(FILE *fp, struct exportent *ep) +{ + struct xprtsec_entry *p1, *p2; + + for (p1 = ep->e_xprtsec; p1->info; p1 = p2) { + fprintf(fp, ",xprtsec=%s", p1->info->name); + for (p2 = p1 + 1; p2->info && (p1->flags == p2->flags); p2++) + fprintf(fp, ":%s", p2->info->name); + } +} + static void fprintpath(FILE *fp, const char *path) { @@ -344,6 +356,7 @@ putexportent(struct exportent *ep) } fprintf(fp, "anonuid=%d,anongid=%d", ep->e_anonuid, ep->e_anongid); secinfo_show(fp, ep); + xprtsecinfo_show(fp, ep); fprintf(fp, ")\n"); } @@ -482,6 +495,75 @@ static unsigned int parse_flavors(char *str, struct exportent *ep) return out; } +static const struct xprtsec_info xprtsec_name2info[] = { + { "none", NFSEXP_XPRTSEC_NONE }, + { "tls", NFSEXP_XPRTSEC_TLS }, + { "mtls", NFSEXP_XPRTSEC_MTLS }, + { NULL, 0 } +}; + +static const struct xprtsec_info *find_xprtsec_info(const char *name) +{ + const struct xprtsec_info *info; + + for (info = xprtsec_name2info; info->name; info++) + if (strcmp(info->name, name) == 0) + return info; + return NULL; +} + +/* + * Append the given xprtsec mode to the exportent's e_xprtsec array, + * or do nothing if it's already there. Returns the index of flavor in + * the resulting array in any case. + */ +static int xprtsec_addmode(const struct xprtsec_info *info, struct exportent *ep) +{ + struct xprtsec_entry *p; + + for (p = ep->e_xprtsec; p->info; p++) + if (p->info == info || p->info->number == info->number) + return p - ep->e_xprtsec; + + if (p - ep->e_xprtsec >= XPRTSECMODE_COUNT) { + xlog(L_ERROR, "more than %d xprtsec modes on an export\n", + XPRTSECMODE_COUNT); + return -1; + } + p->info = info; + p->flags = ep->e_flags; + (p + 1)->info = NULL; + return p - ep->e_xprtsec; +} + +/* + * @str is a colon seperated list of transport layer security modes. + * Their order is recorded in @ep, and a bitmap corresponding to the + * list is returned. + * + * A zero return indicates an error. + */ +static unsigned int parse_xprtsec(char *str, struct exportent *ep) +{ + unsigned int out = 0; + char *name; + + while ((name = strsep(&str, ":"))) { + const struct xprtsec_info *info = find_xprtsec_info(name); + int bit; + + if (!info) { + xlog(L_ERROR, "unknown xprtsec mode %s\n", name); + return 0; + } + bit = xprtsec_addmode(info, ep); + if (bit < 0) + return 0; + out |= 1 << bit; + } + return out; +} + /* Sets the bits in @mask for the appropriate security flavor flags. */ static void setflags(int mask, unsigned int active, struct exportent *ep) { @@ -687,6 +769,9 @@ bad_option: active = parse_flavors(opt+4, ep); if (!active) goto bad_option; + } else if (strncmp(opt, "xprtsec=", 8) == 0) { + if (!parse_xprtsec(opt + 8, ep)) + goto bad_option; } else { xlog(L_ERROR, "%s:%d: unknown keyword \"%s\"\n", flname, flline, opt); diff --git a/utils/exportfs/exportfs.c b/utils/exportfs/exportfs.c index 6d79a5b3480d..37b9e4b3612d 100644 --- a/utils/exportfs/exportfs.c +++ b/utils/exportfs/exportfs.c @@ -743,6 +743,7 @@ dump(int verbose, int export_format) #endif } secinfo_show(stdout, ep); + xprtsecinfo_show(stdout, ep); printf("%c\n", (c != '(')? ')' : ' '); } } From patchwork Wed Mar 29 14:08:25 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Chuck Lever X-Patchwork-Id: 13192486 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id C1711C6FD18 for ; Wed, 29 Mar 2023 14:10:32 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230063AbjC2OKb (ORCPT ); Wed, 29 Mar 2023 10:10:31 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45058 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229529AbjC2OKa (ORCPT ); Wed, 29 Mar 2023 10:10:30 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 091E7558E for ; Wed, 29 Mar 2023 07:09:34 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 3E91761D14 for ; Wed, 29 Mar 2023 14:08:27 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 5F16BC4339B; Wed, 29 Mar 2023 14:08:26 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1680098906; bh=1Qdhg7zDnhDkQZ2AI5pqIT98OGUbEhzHGMs0Fr/TNZs=; h=Subject:From:To:Cc:Date:In-Reply-To:References:From; b=Hes5yzeSDQgXJo4jDv52u9/fqRYcg+dgcR0TUiHphUW5znrOHNcygs9veHb4OKIDx xNm1BGO3eWukNE71KxPTNYRXRyKvgLwqdxqwSYyvOdM5gkx8aNy65EYtmdMgNiuuO/ X9C9ozS1nWtt1bJHw9qnH9jqVCRUYAWRUXmMLp6B3oi32HsMYNsH89JcbshpMhSISj YkGYXVV53SgSlbWKP/r9n6tX+WkmRdso6gWpye/NPFddljDmO1jzGhR3Y8OvSh42IG LfvBwjwMlsI86gsy/RaBooigdqymYVo238qUOHJVOs2ZUVsjJAItSbc3TdRazBbQYV YoKRVTm61YDRg== Subject: [PATCH v2 3/4] exports(5): Describe the xprtsec= export option From: Chuck Lever To: SteveD@redhat.com Cc: linux-nfs@vger.kernel.org, rick.macklem@gmail.com, kernel-tls-handshake@lists.linux.dev Date: Wed, 29 Mar 2023 10:08:25 -0400 Message-ID: <168009890542.2522.10109556599153238262.stgit@manet.1015granger.net> In-Reply-To: <168009806320.2522.10415374334827613451.stgit@manet.1015granger.net> References: <168009806320.2522.10415374334827613451.stgit@manet.1015granger.net> User-Agent: StGit/1.5 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-nfs@vger.kernel.org From: Chuck Lever Cc: Rick Macklem Signed-off-by: Chuck Lever --- utils/exportfs/exports.man | 51 +++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 50 insertions(+), 1 deletion(-) diff --git a/utils/exportfs/exports.man b/utils/exportfs/exports.man index 54b3f8776ea6..83dd6807c570 100644 --- a/utils/exportfs/exports.man +++ b/utils/exportfs/exports.man @@ -125,7 +125,55 @@ In that case you may include multiple sec= options, and following options will be enforced only for access using flavors listed in the immediately preceding sec= option. The only options that are permitted to vary in this way are ro, rw, no_root_squash, root_squash, and all_squash. +.SS Transport layer security +The Linux NFS server allows the use of RPC-with-TLS (RFC 9289) to +protect RPC traffic between itself and its clients. +Alternately, administrators can secure NFS traffic using a VPN, +or an ssh tunnel or similar mechanism, in a way that is transparent +to the server. .PP +To enable the use of RPC-with-TLS, the server's administrator must +install and configure +.BR tlshd +to handle transport layer security handshake requests from the local +kernel. +Clients can then choose to use RPC-with-TLS or they may continue +operating without it. +.PP +Administrators may require the use of RPC-with-TLS to protect access +to individual exports. +This is particularly useful when using non-cryptographic security +flavors such as +.IR sec=sys . +The +.I xprtsec= +option, followed by an unordered colon-delimited list of security policies, +can restrict access to the export to only clients that have negotiated +transport-layer security. +Currently supported transport layer security policies include: +.TP +.IR none +The server permits clients to access the export +without the use of transport layer security. +.TP +.IR tls +The server permits clients that have negotiated an RPC-with-TLS session +without peer authentication (confidentiality only) to access the export. +Clients are not required to offer an x.509 certificate +when establishing a transport layer security session. +.TP +.IR mtls +The server permits clients that have negotiated an RPC-with-TLS session +with peer authentication to access the export. +The server requires clients to offer an x.509 certificate +when establishing a transport layer security session. +.PP +If RPC-with-TLS is configured and enabled and the +.I xprtsec= +option is not specified, the default setting for an export is +.IR xprtsec=none:tls:mtls . +With this setting, the server permits clients to use any transport +layer security mechanism or none at all to access the export. .SS General Options .BR exportfs understands the following export options: @@ -581,7 +629,8 @@ a character class wildcard match. .BR netgroup (5), .BR mountd (8), .BR nfsd (8), -.BR showmount (8). +.BR showmount (8), +.BR tlshd (8). .\".SH DIAGNOSTICS .\"An error parsing the file is reported using syslogd(8) as level NOTICE from .\"a DAEMON whenever From patchwork Wed Mar 29 14:08:31 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Chuck Lever X-Patchwork-Id: 13192485 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 39A8EC74A5B for ; Wed, 29 Mar 2023 14:09:50 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229704AbjC2OJt (ORCPT ); Wed, 29 Mar 2023 10:09:49 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44300 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229741AbjC2OJs (ORCPT ); Wed, 29 Mar 2023 10:09:48 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9283349CC for ; Wed, 29 Mar 2023 07:08:48 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 72D76B82339 for ; Wed, 29 Mar 2023 14:08:34 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id D425AC433EF; Wed, 29 Mar 2023 14:08:32 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1680098913; bh=mvyaeUidnCu1hCTb0KA/7gZiUVW3H2O1ynjmseAyXB0=; h=Subject:From:To:Cc:Date:In-Reply-To:References:From; b=NTssCnAY54b04qMvrQV2JzBlbB2YDc09bSPoQGKMOtT4A0STrbhhfP/j/cJ9JdHQI X3F4l2NlpdzLnIFrptBdFvWRP8J5UqXyp9rDV8zh+RQh55lAhNeXNvvzqb9KfSwlGT 2JJ3Afdl+fQOo799ayeclrmWmuZS1d9QQXAe3g6CY29sOVyrN5H70GU9j582jNlJtZ Hv94SYE6IIgg3NN9aStLALWQfuTbQnVU0l8GLh+0a6a97imW0/gDtIxKx7Lp9AicYC 93tsRapL5xyn/r05tbVGG7z38ZocJhgCiodTOQJ+1qrkKOIi4Qsp5rCDYDUEzGDTLe qtCVLOakuSDYA== Subject: [PATCH v2 4/4] nfs(5): Document the new "xprtsec=" mount option From: Chuck Lever To: SteveD@redhat.com Cc: linux-nfs@vger.kernel.org, rick.macklem@gmail.com, kernel-tls-handshake@lists.linux.dev Date: Wed, 29 Mar 2023 10:08:31 -0400 Message-ID: <168009891187.2522.6811718417615257679.stgit@manet.1015granger.net> In-Reply-To: <168009806320.2522.10415374334827613451.stgit@manet.1015granger.net> References: <168009806320.2522.10415374334827613451.stgit@manet.1015granger.net> User-Agent: StGit/1.5 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-nfs@vger.kernel.org From: Chuck Lever More information about RPC-with-TLS and some brief set-up guidance are to be provided in a separate man page in Section 7. Signed-off-by: Chuck Lever --- utils/mount/nfs.man | 34 +++++++++++++++++++++++++++++++++- 1 file changed, 33 insertions(+), 1 deletion(-) diff --git a/utils/mount/nfs.man b/utils/mount/nfs.man index d9f34df36b42..7a410422897c 100644 --- a/utils/mount/nfs.man +++ b/utils/mount/nfs.man @@ -574,7 +574,39 @@ The .B sloppy option is an alternative to specifying .BR mount.nfs " -s " option. - +.TP 1.5i +.BI xprtsec= policy +Specifies the use of transport layer security to protect NFS network +traffic on behalf of this mount point. +.I policy +can be one of +.BR none , +.BR tls , +or +.BR mtls . +.IP +If +.B none +is specified, +transport layer security is forced off, even if the NFS server supports +transport layer security. +If +.B tls +is specified, the client uses RPC-with-TLS to provide in-transit +confidentiality. +If +.B mtls +is specified, the client uses RPC-with-TLS to authenticate itself and +to provide in-transit confidentiality. +If the server does not support RPC-with-TLS or peer authentication +fails, the mount attempt fails. +.IP +If the +.B xprtsec= +option is not specified, +the default behavior depends on the kernel, +but is usually equivalent to +.BR "xprtsec=none" . .SS "Options for NFS versions 2 and 3 only" Use these options, along with the options in the above subsection, for NFS versions 2 and 3 only.