| Message ID | 165452664596.1496.16204212908726904739.stgit@oracle-102.nfsv4.dev (mailing list archive) |
|---|---|
| Headers | show |
| Series | RPC-with-TLS client side | expand |
On Mon, 2022-06-06 at 10:50 -0400, Chuck Lever wrote: > Now that the initial v5.19 merge window has closed, it's time for > another round of review for RPC-with-TLS support in the Linux NFS > client. This is just the RPC-specific portions. The full series is > available in the "topic-rpc-with-tls-upcall" branch here: > > https://git.kernel.org/pub/scm/linux/kernel/git/cel/linux.git > > I've taken two or three steps towards implementing the architecture > Trond requested during the last review. There is now a two-stage > connection establishment process so that the upper level can use > XPRT_CONNECTED to determine when a TLS session is ready to use. > There are probably additional changes and simplifications that can > be made. Please review and provide feedback. > > I wanted to make more progress on client-side authentication (ie, > passing an x.509 cert from the client to the server) but NFSD bugs > have taken all my time for the past few weeks. > > > Changes since v1: > - Rebased on v5.18 > - Re-ordered so generic fixes come first > - Addressed some of Trond's review comments > > --- > > Chuck Lever (15): > SUNRPC: Fail faster on bad verifier > SUNRPC: Widen rpc_task::tk_flags > SUNRPC: Replace dprintk() call site in xs_data_ready > NFS: Replace fs_context-related dprintk() call sites with tracepoints > SUNRPC: Plumb an API for setting transport layer security > SUNRPC: Trace the rpc_create_args > SUNRPC: Refactor rpc_call_null_helper() > SUNRPC: Add RPC client support for the RPC_AUTH_TLS auth flavor > SUNRPC: Ignore data_ready callbacks during TLS handshakes > SUNRPC: Capture cmsg metadata on client-side receive > SUNRPC: Add a connect worker function for TLS > SUNRPC: Add RPC-with-TLS support to xprtsock.c > SUNRPC: Add RPC-with-TLS tracepoints > NFS: Have struct nfs_client carry a TLS policy field > NFS: Add an "xprtsec=" NFS mount option > > > fs/nfs/client.c | 14 ++ > fs/nfs/fs_context.c | 65 +++++-- > fs/nfs/internal.h | 2 + > fs/nfs/nfs3client.c | 1 + > fs/nfs/nfs4client.c | 16 +- > fs/nfs/nfstrace.h | 77 ++++++++ > fs/nfs/super.c | 7 + > include/linux/nfs_fs_sb.h | 5 +- > include/linux/sunrpc/auth.h | 1 + > include/linux/sunrpc/clnt.h | 15 +- > include/linux/sunrpc/sched.h | 32 ++-- > include/linux/sunrpc/xprt.h | 2 + > include/linux/sunrpc/xprtsock.h | 4 + > include/net/tls.h | 2 + > include/trace/events/sunrpc.h | 157 ++++++++++++++-- > net/sunrpc/Makefile | 2 +- > net/sunrpc/auth.c | 2 +- > net/sunrpc/auth_tls.c | 120 +++++++++++++ > net/sunrpc/clnt.c | 34 ++-- > net/sunrpc/debugfs.c | 2 +- > net/sunrpc/xprtsock.c | 310 +++++++++++++++++++++++++++++++- > 21 files changed, 805 insertions(+), 65 deletions(-) > create mode 100644 net/sunrpc/auth_tls.c > > -- > Chuck Lever > Chuck, How have you been testing this series? It looks like nfsd support is not fully in yet, so I was wondering if you had a 3rd party server. I'd like to do a little testing with this, and was wondering what I needed to cobble together a test rig. Thanks,
> On Jul 12, 2022, at 8:36 AM, Jeff Layton <jlayton@kernel.org> wrote: > > On Mon, 2022-06-06 at 10:50 -0400, Chuck Lever wrote: >> Now that the initial v5.19 merge window has closed, it's time for >> another round of review for RPC-with-TLS support in the Linux NFS >> client. This is just the RPC-specific portions. The full series is >> available in the "topic-rpc-with-tls-upcall" branch here: >> >> https://git.kernel.org/pub/scm/linux/kernel/git/cel/linux.git >> >> I've taken two or three steps towards implementing the architecture >> Trond requested during the last review. There is now a two-stage >> connection establishment process so that the upper level can use >> XPRT_CONNECTED to determine when a TLS session is ready to use. >> There are probably additional changes and simplifications that can >> be made. Please review and provide feedback. >> >> I wanted to make more progress on client-side authentication (ie, >> passing an x.509 cert from the client to the server) but NFSD bugs >> have taken all my time for the past few weeks. >> >> >> Changes since v1: >> - Rebased on v5.18 >> - Re-ordered so generic fixes come first >> - Addressed some of Trond's review comments >> >> --- >> >> Chuck Lever (15): >> SUNRPC: Fail faster on bad verifier >> SUNRPC: Widen rpc_task::tk_flags >> SUNRPC: Replace dprintk() call site in xs_data_ready >> NFS: Replace fs_context-related dprintk() call sites with tracepoints >> SUNRPC: Plumb an API for setting transport layer security >> SUNRPC: Trace the rpc_create_args >> SUNRPC: Refactor rpc_call_null_helper() >> SUNRPC: Add RPC client support for the RPC_AUTH_TLS auth flavor >> SUNRPC: Ignore data_ready callbacks during TLS handshakes >> SUNRPC: Capture cmsg metadata on client-side receive >> SUNRPC: Add a connect worker function for TLS >> SUNRPC: Add RPC-with-TLS support to xprtsock.c >> SUNRPC: Add RPC-with-TLS tracepoints >> NFS: Have struct nfs_client carry a TLS policy field >> NFS: Add an "xprtsec=" NFS mount option >> >> >> fs/nfs/client.c | 14 ++ >> fs/nfs/fs_context.c | 65 +++++-- >> fs/nfs/internal.h | 2 + >> fs/nfs/nfs3client.c | 1 + >> fs/nfs/nfs4client.c | 16 +- >> fs/nfs/nfstrace.h | 77 ++++++++ >> fs/nfs/super.c | 7 + >> include/linux/nfs_fs_sb.h | 5 +- >> include/linux/sunrpc/auth.h | 1 + >> include/linux/sunrpc/clnt.h | 15 +- >> include/linux/sunrpc/sched.h | 32 ++-- >> include/linux/sunrpc/xprt.h | 2 + >> include/linux/sunrpc/xprtsock.h | 4 + >> include/net/tls.h | 2 + >> include/trace/events/sunrpc.h | 157 ++++++++++++++-- >> net/sunrpc/Makefile | 2 +- >> net/sunrpc/auth.c | 2 +- >> net/sunrpc/auth_tls.c | 120 +++++++++++++ >> net/sunrpc/clnt.c | 34 ++-- >> net/sunrpc/debugfs.c | 2 +- >> net/sunrpc/xprtsock.c | 310 +++++++++++++++++++++++++++++++- >> 21 files changed, 805 insertions(+), 65 deletions(-) >> create mode 100644 net/sunrpc/auth_tls.c >> >> -- >> Chuck Lever >> > > Chuck, > > How have you been testing this series? It looks like nfsd support is not > fully in yet, so I was wondering if you had a 3rd party server. I'd like > to do a little testing with this, and was wondering what I needed to > cobble together a test rig. Ben Coddington has an ngnix module to support RPC-with-TLS that can front-end a stock Linux NFSD. Rick has a FreeBSD server implementation of RPC-with-TLS. Rick's probably taken his server down, but Ben's server is still up on the bake-a-thon VPN. -- Chuck Lever
As I already posted to Jeff, I can put the server up for a day or two at any time anyone would like to test against it. It now does TLS1.3 and I'll note the one thing the server did that caught the FreeBSD client "off guard" was it sends a couple of post handshake handshake records. (The FreeBSD client now just tosses these away.) Just email if/when you'd like to test, rick
On 12 Jul 2022, at 20:51, Rick Macklem wrote: > As I already posted to Jeff, I can put the server up for > a day or two at any time anyone would like to test > against it. > > It now does TLS1.3 and I'll note the one thing the > server did that caught the FreeBSD client "off guard" > was it sends a couple of post handshake handshake > records. (The FreeBSD client now just tosses these away.) > > Just email if/when you'd like to test, rick Hey Chuck, is the bakeathon root or intermediate certificate published somewhere so we can add them to our trust stores? Ben
> On Jul 13, 2022, at 9:22 AM, Benjamin Coddington <bcodding@redhat.com> wrote: > > On 12 Jul 2022, at 20:51, Rick Macklem wrote: > >> As I already posted to Jeff, I can put the server up for >> a day or two at any time anyone would like to test >> against it. >> >> It now does TLS1.3 and I'll note the one thing the >> server did that caught the FreeBSD client "off guard" >> was it sends a couple of post handshake handshake >> records. (The FreeBSD client now just tosses these away.) >> >> Just email if/when you'd like to test, rick > > Hey Chuck, is the bakeathon root or intermediate certificate published > somewhere so we can add them to our trust stores? oracle-102:/export has the bundle and instructions, some of them in English! :-D -- Chuck Lever
On 12 Jul 2022, at 9:48, Chuck Lever III wrote: >> On Jul 12, 2022, at 8:36 AM, Jeff Layton <jlayton@kernel.org> wrote: >> >> On Mon, 2022-06-06 at 10:50 -0400, Chuck Lever wrote: >>> Now that the initial v5.19 merge window has closed, it's time for >>> another round of review for RPC-with-TLS support in the Linux NFS >>> client. This is just the RPC-specific portions. The full series is >>> available in the "topic-rpc-with-tls-upcall" branch here: >>> >>> https://git.kernel.org/pub/scm/linux/kernel/git/cel/linux.git >>> >>> I've taken two or three steps towards implementing the architecture >>> Trond requested during the last review. There is now a two-stage >>> connection establishment process so that the upper level can use >>> XPRT_CONNECTED to determine when a TLS session is ready to use. >>> There are probably additional changes and simplifications that can >>> be made. Please review and provide feedback. >>> >>> I wanted to make more progress on client-side authentication (ie, >>> passing an x.509 cert from the client to the server) but NFSD bugs >>> have taken all my time for the past few weeks. >>> >>> >>> Changes since v1: >>> - Rebased on v5.18 >>> - Re-ordered so generic fixes come first >>> - Addressed some of Trond's review comments >>> >>> --- >>> >>> Chuck Lever (15): >>> SUNRPC: Fail faster on bad verifier >>> SUNRPC: Widen rpc_task::tk_flags >>> SUNRPC: Replace dprintk() call site in xs_data_ready >>> NFS: Replace fs_context-related dprintk() call sites with >>> tracepoints >>> SUNRPC: Plumb an API for setting transport layer security >>> SUNRPC: Trace the rpc_create_args >>> SUNRPC: Refactor rpc_call_null_helper() >>> SUNRPC: Add RPC client support for the RPC_AUTH_TLS auth flavor >>> SUNRPC: Ignore data_ready callbacks during TLS handshakes >>> SUNRPC: Capture cmsg metadata on client-side receive >>> SUNRPC: Add a connect worker function for TLS >>> SUNRPC: Add RPC-with-TLS support to xprtsock.c >>> SUNRPC: Add RPC-with-TLS tracepoints >>> NFS: Have struct nfs_client carry a TLS policy field >>> NFS: Add an "xprtsec=" NFS mount option >>> >>> >>> fs/nfs/client.c | 14 ++ >>> fs/nfs/fs_context.c | 65 +++++-- >>> fs/nfs/internal.h | 2 + >>> fs/nfs/nfs3client.c | 1 + >>> fs/nfs/nfs4client.c | 16 +- >>> fs/nfs/nfstrace.h | 77 ++++++++ >>> fs/nfs/super.c | 7 + >>> include/linux/nfs_fs_sb.h | 5 +- >>> include/linux/sunrpc/auth.h | 1 + >>> include/linux/sunrpc/clnt.h | 15 +- >>> include/linux/sunrpc/sched.h | 32 ++-- >>> include/linux/sunrpc/xprt.h | 2 + >>> include/linux/sunrpc/xprtsock.h | 4 + >>> include/net/tls.h | 2 + >>> include/trace/events/sunrpc.h | 157 ++++++++++++++-- >>> net/sunrpc/Makefile | 2 +- >>> net/sunrpc/auth.c | 2 +- >>> net/sunrpc/auth_tls.c | 120 +++++++++++++ >>> net/sunrpc/clnt.c | 34 ++-- >>> net/sunrpc/debugfs.c | 2 +- >>> net/sunrpc/xprtsock.c | 310 >>> +++++++++++++++++++++++++++++++- >>> 21 files changed, 805 insertions(+), 65 deletions(-) >>> create mode 100644 net/sunrpc/auth_tls.c >>> >>> -- >>> Chuck Lever >>> >> >> Chuck, >> >> How have you been testing this series? It looks like nfsd support is >> not >> fully in yet, so I was wondering if you had a 3rd party server. I'd >> like >> to do a little testing with this, and was wondering what I needed to >> cobble together a test rig. > > Ben Coddington has an ngnix module to support RPC-with-TLS that can > front-end a stock Linux NFSD. Rick has a FreeBSD server implementation > of RPC-with-TLS. Rick's probably taken his server down, but Ben's > server is still up on the bake-a-thon VPN. That server now has a proper certificate for CN=boson.nfsv4.dev signed by the bakeathon CA (thanks Chuck). I've also (finally) put the nginx module code up on github if anyone else wants to throw it in front of a server: https://github.com/bcodding/nginx-rpc-tls Ben
On Mon, 2022-06-06 at 10:50 -0400, Chuck Lever wrote: > Now that the initial v5.19 merge window has closed, it's time for > another round of review for RPC-with-TLS support in the Linux NFS > client. This is just the RPC-specific portions. The full series is > available in the "topic-rpc-with-tls-upcall" branch here: > > https://git.kernel.org/pub/scm/linux/kernel/git/cel/linux.git > > I've taken two or three steps towards implementing the architecture > Trond requested during the last review. There is now a two-stage > connection establishment process so that the upper level can use > XPRT_CONNECTED to determine when a TLS session is ready to use. > There are probably additional changes and simplifications that can > be made. Please review and provide feedback. > > I wanted to make more progress on client-side authentication (ie, > passing an x.509 cert from the client to the server) but NFSD bugs > have taken all my time for the past few weeks. > > > Changes since v1: > - Rebased on v5.18 > - Re-ordered so generic fixes come first > - Addressed some of Trond's review comments > > --- > > Chuck Lever (15): > SUNRPC: Fail faster on bad verifier > SUNRPC: Widen rpc_task::tk_flags > SUNRPC: Replace dprintk() call site in xs_data_ready > NFS: Replace fs_context-related dprintk() call sites with tracepoints > SUNRPC: Plumb an API for setting transport layer security > SUNRPC: Trace the rpc_create_args > SUNRPC: Refactor rpc_call_null_helper() > SUNRPC: Add RPC client support for the RPC_AUTH_TLS auth flavor > SUNRPC: Ignore data_ready callbacks during TLS handshakes > SUNRPC: Capture cmsg metadata on client-side receive > SUNRPC: Add a connect worker function for TLS > SUNRPC: Add RPC-with-TLS support to xprtsock.c > SUNRPC: Add RPC-with-TLS tracepoints > NFS: Have struct nfs_client carry a TLS policy field > NFS: Add an "xprtsec=" NFS mount option > > > fs/nfs/client.c | 14 ++ > fs/nfs/fs_context.c | 65 +++++-- > fs/nfs/internal.h | 2 + > fs/nfs/nfs3client.c | 1 + > fs/nfs/nfs4client.c | 16 +- > fs/nfs/nfstrace.h | 77 ++++++++ > fs/nfs/super.c | 7 + > include/linux/nfs_fs_sb.h | 5 +- > include/linux/sunrpc/auth.h | 1 + > include/linux/sunrpc/clnt.h | 15 +- > include/linux/sunrpc/sched.h | 32 ++-- > include/linux/sunrpc/xprt.h | 2 + > include/linux/sunrpc/xprtsock.h | 4 + > include/net/tls.h | 2 + > include/trace/events/sunrpc.h | 157 ++++++++++++++-- > net/sunrpc/Makefile | 2 +- > net/sunrpc/auth.c | 2 +- > net/sunrpc/auth_tls.c | 120 +++++++++++++ > net/sunrpc/clnt.c | 34 ++-- > net/sunrpc/debugfs.c | 2 +- > net/sunrpc/xprtsock.c | 310 +++++++++++++++++++++++++++++++- > 21 files changed, 805 insertions(+), 65 deletions(-) > create mode 100644 net/sunrpc/auth_tls.c > > -- > Chuck Lever > This looks pretty good overall. Nice work, Chuck. FWIW, I pulled these and ktls-utils down and gave them a spin and they worked just fine. You can add: Tested-by: Jeff Layton <jlayton@kernel.org>
Now that the initial v5.19 merge window has closed, it's time for another round of review for RPC-with-TLS support in the Linux NFS client. This is just the RPC-specific portions. The full series is available in the "topic-rpc-with-tls-upcall" branch here: https://git.kernel.org/pub/scm/linux/kernel/git/cel/linux.git I've taken two or three steps towards implementing the architecture Trond requested during the last review. There is now a two-stage connection establishment process so that the upper level can use XPRT_CONNECTED to determine when a TLS session is ready to use. There are probably additional changes and simplifications that can be made. Please review and provide feedback. I wanted to make more progress on client-side authentication (ie, passing an x.509 cert from the client to the server) but NFSD bugs have taken all my time for the past few weeks. Changes since v1: - Rebased on v5.18 - Re-ordered so generic fixes come first - Addressed some of Trond's review comments --- Chuck Lever (15): SUNRPC: Fail faster on bad verifier SUNRPC: Widen rpc_task::tk_flags SUNRPC: Replace dprintk() call site in xs_data_ready NFS: Replace fs_context-related dprintk() call sites with tracepoints SUNRPC: Plumb an API for setting transport layer security SUNRPC: Trace the rpc_create_args SUNRPC: Refactor rpc_call_null_helper() SUNRPC: Add RPC client support for the RPC_AUTH_TLS auth flavor SUNRPC: Ignore data_ready callbacks during TLS handshakes SUNRPC: Capture cmsg metadata on client-side receive SUNRPC: Add a connect worker function for TLS SUNRPC: Add RPC-with-TLS support to xprtsock.c SUNRPC: Add RPC-with-TLS tracepoints NFS: Have struct nfs_client carry a TLS policy field NFS: Add an "xprtsec=" NFS mount option fs/nfs/client.c | 14 ++ fs/nfs/fs_context.c | 65 +++++-- fs/nfs/internal.h | 2 + fs/nfs/nfs3client.c | 1 + fs/nfs/nfs4client.c | 16 +- fs/nfs/nfstrace.h | 77 ++++++++ fs/nfs/super.c | 7 + include/linux/nfs_fs_sb.h | 5 +- include/linux/sunrpc/auth.h | 1 + include/linux/sunrpc/clnt.h | 15 +- include/linux/sunrpc/sched.h | 32 ++-- include/linux/sunrpc/xprt.h | 2 + include/linux/sunrpc/xprtsock.h | 4 + include/net/tls.h | 2 + include/trace/events/sunrpc.h | 157 ++++++++++++++-- net/sunrpc/Makefile | 2 +- net/sunrpc/auth.c | 2 +- net/sunrpc/auth_tls.c | 120 +++++++++++++ net/sunrpc/clnt.c | 34 ++-- net/sunrpc/debugfs.c | 2 +- net/sunrpc/xprtsock.c | 310 +++++++++++++++++++++++++++++++- 21 files changed, 805 insertions(+), 65 deletions(-) create mode 100644 net/sunrpc/auth_tls.c -- Chuck Lever