From nobody Tue Feb 10 15:45:58 2026 Received: from mail-pf1-f178.google.com (mail-pf1-f178.google.com [209.85.210.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id CA1D01A9FB8 for ; Fri, 17 Oct 2025 04:23:38 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.178 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1760675020; cv=none; b=jPMuUob+pnHN3T+wl0o6nwuO8CNHpsKFi0puQ7GHcZKlffDDmYxKdvrjy9wAfw6wigCo9utiKYG/SvFL+u7N8QvyJAVtZhAIfVg4x0tSyapYNZzIkUzF7gPpAY7T7W1tWsjOaKV+cnmGFUy97zpaBVJm1PaY9ZyNGRiBKZnIjX0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1760675020; c=relaxed/simple; bh=duddJN0kQkHYKxRPfiW8CpFJ4dQVX39UNzxDdQSpByw=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=RLs5lN0grc+IxkDNYS+/8O6Bm9vKt6p83XFB7E3ioJyL5DFQhCUa+hZPlI6vM/3kZ7sc5No1tP+9vUTb5isBJWYXyWWHiRuZ5T5R5CgTkxn4a2z4t844d8U2WSlYN0U+sR1a8Ov4fs5U3Liho0VYn+0uf10HmcJJBQyYIVaQ+DE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=BeUbD9kJ; arc=none smtp.client-ip=209.85.210.178 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="BeUbD9kJ" Received: by mail-pf1-f178.google.com with SMTP id d2e1a72fcca58-789fb76b466so1458328b3a.0 for ; Thu, 16 Oct 2025 21:23:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1760675018; x=1761279818; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=jjVILfauIufUxhc7OT1sVnMmTMxe8Z64uh1TdUKNmZM=; b=BeUbD9kJLnxKuXC5CodC5/RJB8Wn5N6uwaf23vD+xxE3p5mXTx9bMBDmzc9l/3hmmA tqB77z3a/ntjyeiiCC3HZ93Ojutn9RqJwBgsVA56qRucf072R5U0QbgwalS8RbEj0Ovh YegEaZLTpAr6iCK8Xm4C/JeCtLDmZ4NdVhuIL/vH6Y1H2adqaAKyWoMKBDtZHRgCNIdu yTqNDsc7el4Nvgx0o/2JGFBtDhHuQHrTiUxfSkHfq8FBvYZevlJSWGvndIQckALPe+sS arSGcFAner0wXyKz9q/DNeIFmWSPHPkOanIMOj86XQSQoWf5suBwPX1Xw/G9Nk1AW1j4 gQvw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1760675018; x=1761279818; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=jjVILfauIufUxhc7OT1sVnMmTMxe8Z64uh1TdUKNmZM=; b=sEwVp0DJmYxA8VsGVehkYXE6Qd6mxsUTA4onasdmXdgz2/v9yNgcUJEKFunnQbB757 pbfuwAD1sF1R6fqY/QMFSnRNCV2acKsiLrdQyHtSPU3BLpcgmqe6UNaacP8N4kfrdoeG YfvqQ4HKxojUU5t3LRSkg2UKpse+rMQGPstvaoRNgy4fltmjxT9hsRXVWo/5gXzAim+l 7Z7hgKcKae4orTqhJlrJeecpGJkkR5fn5H89MvOjI8ppOqGLtRaL1LPJRjft+YMjX1eG w4pHi0fEnvbfVS8RByVYmEBqRrc5owXBM2S/VrEWVRNYj7wlg1IJzul3JPMJSuuZ/Q8c EbnQ== X-Forwarded-Encrypted: i=1; AJvYcCUlX1/GQSq8ZC82w4VCSF0JbY1b0VRyRvdiUpxKECTjHyI4ep6HmyaMF/z6usHBcNuxb0jrEswr2nhKcHw=@vger.kernel.org X-Gm-Message-State: AOJu0Yw9aEv/LQZxrN7JR9htnnnaoRVUMv7T+duRF47Skc4XFNUpBle/ qq8LRFmqENXMXozCs1q3ffaFwWmPd4XNrNKmuQc5ilM/zfpueffguuN6 X-Gm-Gg: ASbGnctiqSt4ccBsyYh5NMDxsWfRK889zlQe7sQplJUbMqIhaOysJjO251eShQlZjdi J0PuRs2LHkVOalzbfG76Cm9hN2NsdYXiJ2h/rfR7BP8TjuKpZzf5IPyGZF6c6bXrNHyE/VL73ew MYBhbDi894+s7SV4GDo/LqKiiPgq0/3tmHfmaCRb9hLrfF4PbKnubWhRGrxYEXWlN1PzOnoJk9D B/TXVV4W0asrR/SIzbYqhkkBom5zCIW7MIqjwC19wxlju6Zci0O1ci9Q+5Dqy7o6E3VEjeSfJ0l 6IxgnB5p4bB86TcmXZboJ4d+eCCTHRlFZOtYDKMnPvoflNUbe1kxbGqPcfVuy7L0GcrZUW2JIjF dn7YcVTa7umVBOccha+jzE6u3rwbZp5oGHHeO7d4ua7O+nZEFJznfjgJJTzJGYfAs/b9u6Zv1gR Aiy9xhdQUaFa8xvsYFu7+1oqdrucD/8dxwrloqkWvi6Ix+EQF/9XKFHSYn3ruGXAA4Zk4hTkCK4 Depi0prm/uFTziW1ysI X-Google-Smtp-Source: AGHT+IE8tGIqKknBmSR/YjZ0JxDzGHwDUZlXi4SXMFnGrMTTa5U7E8C9N7e2anx+wAKtOY9fgQgPgw== X-Received: by 2002:a05:6a20:3d84:b0:2b3:4f2a:d2e9 with SMTP id adf61e73a8af0-334a8515183mr2709377637.9.1760675018085; Thu, 16 Oct 2025 21:23:38 -0700 (PDT) Received: from toolbx.alistair23.me (2403-580b-97e8-0-82ce-f179-8a79-69f4.ip6.aussiebb.net. [2403:580b:97e8:0:82ce:f179:8a79:69f4]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-33be54cad3esm245557a91.12.2025.10.16.21.23.32 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 16 Oct 2025 21:23:37 -0700 (PDT) From: alistair23@gmail.com X-Google-Original-From: alistair.francis@wdc.com To: chuck.lever@oracle.com, hare@kernel.org, kernel-tls-handshake@lists.linux.dev, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, linux-doc@vger.kernel.org, linux-nvme@lists.infradead.org, linux-nfs@vger.kernel.org Cc: kbusch@kernel.org, axboe@kernel.dk, hch@lst.de, sagi@grimberg.me, kch@nvidia.com, hare@suse.de, alistair23@gmail.com, Alistair Francis Subject: [PATCH v4 1/7] net/handshake: Store the key serial number on completion Date: Fri, 17 Oct 2025 14:23:06 +1000 Message-ID: <20251017042312.1271322-2-alistair.francis@wdc.com> X-Mailer: git-send-email 2.51.0 In-Reply-To: <20251017042312.1271322-1-alistair.francis@wdc.com> References: <20251017042312.1271322-1-alistair.francis@wdc.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Alistair Francis Allow userspace to include a key serial number when completing a handshake with the HANDSHAKE_CMD_DONE command. We then store this serial number and will provide it back to userspace in the future. This allows userspace to save data to the keyring and then restore that data later. This will be used to support the TLS KeyUpdate operation, as now userspace can resume information about a established session. Signed-off-by: Alistair Francis Reviewed-by: Hannes Reincke --- v4: - No change v3: - No change v2: - Change "key-serial" to "session-id" Documentation/netlink/specs/handshake.yaml | 4 ++++ Documentation/networking/tls-handshake.rst | 2 ++ drivers/nvme/host/tcp.c | 3 ++- drivers/nvme/target/tcp.c | 3 ++- include/net/handshake.h | 4 +++- include/uapi/linux/handshake.h | 1 + net/handshake/genl.c | 5 +++-- net/handshake/tlshd.c | 15 +++++++++++++-- net/sunrpc/svcsock.c | 4 +++- net/sunrpc/xprtsock.c | 4 +++- 10 files changed, 36 insertions(+), 9 deletions(-) diff --git a/Documentation/netlink/specs/handshake.yaml b/Documentation/net= link/specs/handshake.yaml index 95c3fade7a8d..a273bc74d26f 100644 --- a/Documentation/netlink/specs/handshake.yaml +++ b/Documentation/netlink/specs/handshake.yaml @@ -87,6 +87,9 @@ attribute-sets: name: remote-auth type: u32 multi-attr: true + - + name: session-id + type: u32 =20 operations: list: @@ -123,6 +126,7 @@ operations: - status - sockfd - remote-auth + - session-id =20 mcast-groups: list: diff --git a/Documentation/networking/tls-handshake.rst b/Documentation/net= working/tls-handshake.rst index 6f5ea1646a47..d7287890056a 100644 --- a/Documentation/networking/tls-handshake.rst +++ b/Documentation/networking/tls-handshake.rst @@ -60,6 +60,8 @@ fills in a structure that contains the parameters of the = request: key_serial_t ta_my_privkey; unsigned int ta_num_peerids; key_serial_t ta_my_peerids[5]; + key_serial_t user_session_id; + }; =20 The @ta_sock field references an open and connected socket. The consumer diff --git a/drivers/nvme/host/tcp.c b/drivers/nvme/host/tcp.c index 2751c15beed6..611be56f8013 100644 --- a/drivers/nvme/host/tcp.c +++ b/drivers/nvme/host/tcp.c @@ -1691,7 +1691,8 @@ static void nvme_tcp_set_queue_io_cpu(struct nvme_tcp= _queue *queue) qid, queue->io_cpu); } =20 -static void nvme_tcp_tls_done(void *data, int status, key_serial_t pskid) +static void nvme_tcp_tls_done(void *data, int status, key_serial_t pskid, + key_serial_t user_session_id) { struct nvme_tcp_queue *queue =3D data; struct nvme_tcp_ctrl *ctrl =3D queue->ctrl; diff --git a/drivers/nvme/target/tcp.c b/drivers/nvme/target/tcp.c index 470bf37e5a63..4ef4dd140ada 100644 --- a/drivers/nvme/target/tcp.c +++ b/drivers/nvme/target/tcp.c @@ -1780,7 +1780,8 @@ static int nvmet_tcp_tls_key_lookup(struct nvmet_tcp_= queue *queue, } =20 static void nvmet_tcp_tls_handshake_done(void *data, int status, - key_serial_t peerid) + key_serial_t peerid, + key_serial_t user_session_id) { struct nvmet_tcp_queue *queue =3D data; =20 diff --git a/include/net/handshake.h b/include/net/handshake.h index 8ebd4f9ed26e..dc2222fd6d99 100644 --- a/include/net/handshake.h +++ b/include/net/handshake.h @@ -18,7 +18,8 @@ enum { }; =20 typedef void (*tls_done_func_t)(void *data, int status, - key_serial_t peerid); + key_serial_t peerid, + key_serial_t user_session_id); =20 struct tls_handshake_args { struct socket *ta_sock; @@ -31,6 +32,7 @@ struct tls_handshake_args { key_serial_t ta_my_privkey; unsigned int ta_num_peerids; key_serial_t ta_my_peerids[5]; + key_serial_t user_session_id; }; =20 int tls_client_hello_anon(const struct tls_handshake_args *args, gfp_t fla= gs); diff --git a/include/uapi/linux/handshake.h b/include/uapi/linux/handshake.h index 662e7de46c54..b68ffbaa5f31 100644 --- a/include/uapi/linux/handshake.h +++ b/include/uapi/linux/handshake.h @@ -55,6 +55,7 @@ enum { HANDSHAKE_A_DONE_STATUS =3D 1, HANDSHAKE_A_DONE_SOCKFD, HANDSHAKE_A_DONE_REMOTE_AUTH, + HANDSHAKE_A_DONE_SESSION_ID, =20 __HANDSHAKE_A_DONE_MAX, HANDSHAKE_A_DONE_MAX =3D (__HANDSHAKE_A_DONE_MAX - 1) diff --git a/net/handshake/genl.c b/net/handshake/genl.c index f55d14d7b726..6cdce7e5dbc0 100644 --- a/net/handshake/genl.c +++ b/net/handshake/genl.c @@ -16,10 +16,11 @@ static const struct nla_policy handshake_accept_nl_poli= cy[HANDSHAKE_A_ACCEPT_HAN }; =20 /* HANDSHAKE_CMD_DONE - do */ -static const struct nla_policy handshake_done_nl_policy[HANDSHAKE_A_DONE_R= EMOTE_AUTH + 1] =3D { +static const struct nla_policy handshake_done_nl_policy[HANDSHAKE_A_DONE_S= ESSION_ID + 1] =3D { [HANDSHAKE_A_DONE_STATUS] =3D { .type =3D NLA_U32, }, [HANDSHAKE_A_DONE_SOCKFD] =3D { .type =3D NLA_S32, }, [HANDSHAKE_A_DONE_REMOTE_AUTH] =3D { .type =3D NLA_U32, }, + [HANDSHAKE_A_DONE_SESSION_ID] =3D { .type =3D NLA_U32, }, }; =20 /* Ops table for handshake */ @@ -35,7 +36,7 @@ static const struct genl_split_ops handshake_nl_ops[] =3D= { .cmd =3D HANDSHAKE_CMD_DONE, .doit =3D handshake_nl_done_doit, .policy =3D handshake_done_nl_policy, - .maxattr =3D HANDSHAKE_A_DONE_REMOTE_AUTH, + .maxattr =3D HANDSHAKE_A_DONE_SESSION_ID, .flags =3D GENL_CMD_CAP_DO, }, }; diff --git a/net/handshake/tlshd.c b/net/handshake/tlshd.c index 081093dfd553..2549c5dbccd8 100644 --- a/net/handshake/tlshd.c +++ b/net/handshake/tlshd.c @@ -26,7 +26,8 @@ =20 struct tls_handshake_req { void (*th_consumer_done)(void *data, int status, - key_serial_t peerid); + key_serial_t peerid, + key_serial_t user_session_id); void *th_consumer_data; =20 int th_type; @@ -39,6 +40,8 @@ struct tls_handshake_req { =20 unsigned int th_num_peerids; key_serial_t th_peerid[5]; + + key_serial_t user_session_id; }; =20 static struct tls_handshake_req * @@ -55,6 +58,7 @@ tls_handshake_req_init(struct handshake_req *req, treq->th_num_peerids =3D 0; treq->th_certificate =3D TLS_NO_CERT; treq->th_privkey =3D TLS_NO_PRIVKEY; + treq->user_session_id =3D TLS_NO_PRIVKEY; return treq; } =20 @@ -83,6 +87,13 @@ static void tls_handshake_remote_peerids(struct tls_hand= shake_req *treq, if (i >=3D treq->th_num_peerids) break; } + + nla_for_each_attr(nla, head, len, rem) { + if (nla_type(nla) =3D=3D HANDSHAKE_A_DONE_SESSION_ID) { + treq->user_session_id =3D nla_get_u32(nla); + break; + } + } } =20 /** @@ -105,7 +116,7 @@ static void tls_handshake_done(struct handshake_req *re= q, set_bit(HANDSHAKE_F_REQ_SESSION, &req->hr_flags); =20 treq->th_consumer_done(treq->th_consumer_data, -status, - treq->th_peerid[0]); + treq->th_peerid[0], treq->user_session_id); } =20 #if IS_ENABLED(CONFIG_KEYS) diff --git a/net/sunrpc/svcsock.c b/net/sunrpc/svcsock.c index 7b90abc5cf0e..bc9a713c6559 100644 --- a/net/sunrpc/svcsock.c +++ b/net/sunrpc/svcsock.c @@ -444,13 +444,15 @@ static void svc_tcp_kill_temp_xprt(struct svc_xprt *x= prt) * @data: address of xprt to wake * @status: status of handshake * @peerid: serial number of key containing the remote peer's identity + * @user_session_id: serial number of the userspace session ID * * If a security policy is specified as an export option, we don't * have a specific export here to check. So we set a "TLS session * is present" flag on the xprt and let an upper layer enforce local * security policy. */ -static void svc_tcp_handshake_done(void *data, int status, key_serial_t pe= erid) +static void svc_tcp_handshake_done(void *data, int status, key_serial_t pe= erid, + key_serial_t user_session_id) { struct svc_xprt *xprt =3D data; struct svc_sock *svsk =3D container_of(xprt, struct svc_sock, sk_xprt); diff --git a/net/sunrpc/xprtsock.c b/net/sunrpc/xprtsock.c index 3aa987e7f072..bce0f43bef65 100644 --- a/net/sunrpc/xprtsock.c +++ b/net/sunrpc/xprtsock.c @@ -2589,9 +2589,11 @@ static int xs_tcp_tls_finish_connecting(struct rpc_x= prt *lower_xprt, * @data: address of xprt to wake * @status: status of handshake * @peerid: serial number of key containing the remote's identity + * @user_session_id: serial number of the userspace session ID * */ -static void xs_tls_handshake_done(void *data, int status, key_serial_t pee= rid) +static void xs_tls_handshake_done(void *data, int status, key_serial_t pee= rid, + key_serial_t user_session_id) { struct rpc_xprt *lower_xprt =3D data; struct sock_xprt *lower_transport =3D --=20 2.51.0