From nobody Tue Feb 10 10:55:20 2026 Received: from mail-pj1-f44.google.com (mail-pj1-f44.google.com [209.85.216.44]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5E3702D3A72 for ; Wed, 12 Nov 2025 04:28:13 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.44 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1762921696; cv=none; b=JjuA2+CpYhEYI7atOqSCiA9KCpjliakd0u7Etgfu68mr4+iWCmjfhAmrqGDKB2xDRccto4WeIs4nITMuM2naWClpizXS1K/pFDITtsGf2IN/XgPPfTj31yABK42NAY6O5EnHrmJdlD6bUWOY3k4pX0+XsydBuyvHFq/SUfnq6to= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1762921696; c=relaxed/simple; bh=+jCGVmcm8MVpbEmr0Axn/mgty3ndsCdwYQUMd1UULmY=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=iwF1xPDJ576npcEPkZewVv219CLyPp+Megd56s0+rV8k3yQj0C4t/86cwJ74xW4vElaIKxNlYR3OEPTMIt5J2v/PpH1XavxvHxiCIvnP0DRnOvjqmk8Fj2FPiYGHaWI63m/d8EI0B+HbSaI8F2zqJ3C8hbGFNq1qEbDKjC04ZX0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=AXXWF5b3; arc=none smtp.client-ip=209.85.216.44 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="AXXWF5b3" Received: by mail-pj1-f44.google.com with SMTP id 98e67ed59e1d1-3437ea05540so412288a91.0 for ; Tue, 11 Nov 2025 20:28:13 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1762921692; x=1763526492; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Tw8cOHbzhw9pNwhJI5NzaNsYq1VvyCsjiYozL/C9AsE=; b=AXXWF5b3O/UGSxSQyLs3S6Oyfqe6gfO1ifntoqumdkpnZYpVuTgsxM0og82dff92lJ HPoKh6Yde9IVXNOmHeAXGM4BwwV1r5Ft+6eP2LOpGlxrct2oq0/EiztzkOC2NddMqvnD LlSgQ6KS+km2ZC771nR7IqBzbKjgjTkPUzJi27YiKWwLcV54uOAOS68CbzcgJVEM2qpf QvEqoYa8NTTZRZSqbR2vHZbs3D+CmuqTsmwb+litI6q0cIs3p1zoVHwX9pn7v836Yd1O Axum4NEPp7zPiTPbF5cFcfS3uX7IOzHl1a7GazmjWjWnzzmdA5tljLWvVmgiasUbg9yw c9wQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1762921692; x=1763526492; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=Tw8cOHbzhw9pNwhJI5NzaNsYq1VvyCsjiYozL/C9AsE=; b=guwPsJNDUO/5pUpDtj5MbErFTZ4TS95lGbaaeGbvLLF8vTYbSO4qNzFV0GDtESD7WB oGl7yQNKCh7zkr3eG1CqOXQ84PTp/eJoJL0tuN73qNGE59OwhlF+aVU1z14/pJH3usqP sDFM6HfElcPS9RUnzGLSDKlaZJ+LjfvSoZ+NDuX6A36ykC+ZWPLHZ7D0XCbCQt50W+ZZ w1gyZYZXpqis16PPv7wozQRqZPa90OYuowW9VcXCR4pg+isw5V5wyVUUzwS0ygWamkvp MA+R2mCegnxzXEY71lmbhCrrvZTimE3CijbQp+UfL5cf4ANfBkviPjID3a03Kpf5OQqD czwg== X-Forwarded-Encrypted: i=1; AJvYcCX72duJexZW5gjLCqrEAOerfzLk6WghVxklviksmG4GHtu3tWp4PxPpQgeh+HqBosBJpbQQ/6WvSNXSNHY=@vger.kernel.org X-Gm-Message-State: AOJu0Yxb3aG7Ls0wPErIeDpBBE/rgQaQfnBPkst3w337sB/uARi25wcm E33f1XuWc7JoXbkfSOwrRy0YoziM9BJ7XC3tuV7orEiWsT0s0sYA3+xt X-Gm-Gg: ASbGnct2PA/IfBi59HidCE1AspCqpXnsuXEiyHdTIcM497piCNfRXbq9qFHrMOU+jPQ Bf4EhbvBEx9Od/rpTO2rc5o5Nswwy1+ujmg9FmdTMUD3j/uYoEOVtNa0UAY7IC8vLpbnY8hCPAO KxmCjaGZDyXxoxisOIp3TU+FqRFxKNoGxi8ZtFDyw2xc78B8u7u+230DhBa2JomILq5rvDnASR/ F3yNmFylG0EmX9icUrpdDtgIE1dJhPDP+oWyzmeLN5rFu+QDXZYZoQIpJfTWjy5wgyO2Y1QrpLW B+3d3F95BdBpYP/KiN2+PxF3UAJcDkL7pGmXqN70013uy/aq4iKGgupvIvImTOuGnnVJcceadcK n4f5DkdrX5JgswB5oLy/7KxaKnHbAHyR2a+j4oRacrSBGdWnfrRHnl3C32qaWC8cNqKaKGy/Xok m4BS3t8H0x0+9y7SueT3jIzSUAJGCVieIrcFhrNqCwS60BhAH4m5hgB411pFxBR85UIZrYnoqz/ x2Arp89Kw== X-Google-Smtp-Source: AGHT+IH4DTxJoV9qdn9141anhldPdY8NvxeKfjVGxu8WTSlRIvIvUku804PDVCCGbncSCn1vuCDFbg== X-Received: by 2002:a17:90b:3803:b0:340:b501:7b7d with SMTP id 98e67ed59e1d1-343dddfc5damr1978176a91.14.1762921692445; Tue, 11 Nov 2025 20:28:12 -0800 (PST) Received: from toolbx.alistair23.me (2403-580b-97e8-0-82ce-f179-8a79-69f4.ip6.aussiebb.net. [2403:580b:97e8:0:82ce:f179:8a79:69f4]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-343e06fbc0dsm854681a91.2.2025.11.11.20.28.06 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 11 Nov 2025 20:28:12 -0800 (PST) From: alistair23@gmail.com X-Google-Original-From: alistair.francis@wdc.com To: chuck.lever@oracle.com, hare@kernel.org, kernel-tls-handshake@lists.linux.dev, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, linux-doc@vger.kernel.org, linux-nvme@lists.infradead.org, linux-nfs@vger.kernel.org Cc: kbusch@kernel.org, axboe@kernel.dk, hch@lst.de, sagi@grimberg.me, kch@nvidia.com, hare@suse.de, alistair23@gmail.com, Alistair Francis Subject: [PATCH v5 1/6] net/handshake: Store the key serial number on completion Date: Wed, 12 Nov 2025 14:27:15 +1000 Message-ID: <20251112042720.3695972-2-alistair.francis@wdc.com> X-Mailer: git-send-email 2.51.1 In-Reply-To: <20251112042720.3695972-1-alistair.francis@wdc.com> References: <20251112042720.3695972-1-alistair.francis@wdc.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Alistair Francis Allow userspace to include a key serial number when completing a handshake with the HANDSHAKE_CMD_DONE command. We then store this serial number and will provide it back to userspace in the future. This allows userspace to save data to the keyring and then restore that data later. This will be used to support the TLS KeyUpdate operation, as now userspace can resume information about a established session. Signed-off-by: Alistair Francis Reviewed-by: Hannes Reincke Reviewed-by: Chuck Lever Reviewed-by: Sagi Grimberg --- v5: - Change name to "handshake session ID" v4: - No change v3: - No change v2: - Change "key-serial" to "session-id" Documentation/netlink/specs/handshake.yaml | 4 ++++ Documentation/networking/tls-handshake.rst | 1 + drivers/nvme/host/tcp.c | 3 ++- drivers/nvme/target/tcp.c | 3 ++- include/net/handshake.h | 4 +++- include/uapi/linux/handshake.h | 1 + net/handshake/genl.c | 5 +++-- net/handshake/tlshd.c | 15 +++++++++++++-- net/sunrpc/svcsock.c | 4 +++- net/sunrpc/xprtsock.c | 4 +++- 10 files changed, 35 insertions(+), 9 deletions(-) diff --git a/Documentation/netlink/specs/handshake.yaml b/Documentation/net= link/specs/handshake.yaml index 95c3fade7a8d..a273bc74d26f 100644 --- a/Documentation/netlink/specs/handshake.yaml +++ b/Documentation/netlink/specs/handshake.yaml @@ -87,6 +87,9 @@ attribute-sets: name: remote-auth type: u32 multi-attr: true + - + name: session-id + type: u32 =20 operations: list: @@ -123,6 +126,7 @@ operations: - status - sockfd - remote-auth + - session-id =20 mcast-groups: list: diff --git a/Documentation/networking/tls-handshake.rst b/Documentation/net= working/tls-handshake.rst index 6f5ea1646a47..0941b81dde5c 100644 --- a/Documentation/networking/tls-handshake.rst +++ b/Documentation/networking/tls-handshake.rst @@ -60,6 +60,7 @@ fills in a structure that contains the parameters of the = request: key_serial_t ta_my_privkey; unsigned int ta_num_peerids; key_serial_t ta_my_peerids[5]; + key_serial_t handshake_session_id; }; =20 The @ta_sock field references an open and connected socket. The consumer diff --git a/drivers/nvme/host/tcp.c b/drivers/nvme/host/tcp.c index 9058ea64b89c..024d02248831 100644 --- a/drivers/nvme/host/tcp.c +++ b/drivers/nvme/host/tcp.c @@ -1694,7 +1694,8 @@ static void nvme_tcp_set_queue_io_cpu(struct nvme_tcp= _queue *queue) qid, queue->io_cpu); } =20 -static void nvme_tcp_tls_done(void *data, int status, key_serial_t pskid) +static void nvme_tcp_tls_done(void *data, int status, key_serial_t pskid, + key_serial_t handshake_session_id) { struct nvme_tcp_queue *queue =3D data; struct nvme_tcp_ctrl *ctrl =3D queue->ctrl; diff --git a/drivers/nvme/target/tcp.c b/drivers/nvme/target/tcp.c index 470bf37e5a63..7f8516892359 100644 --- a/drivers/nvme/target/tcp.c +++ b/drivers/nvme/target/tcp.c @@ -1780,7 +1780,8 @@ static int nvmet_tcp_tls_key_lookup(struct nvmet_tcp_= queue *queue, } =20 static void nvmet_tcp_tls_handshake_done(void *data, int status, - key_serial_t peerid) + key_serial_t peerid, + key_serial_t handshake_session_id) { struct nvmet_tcp_queue *queue =3D data; =20 diff --git a/include/net/handshake.h b/include/net/handshake.h index 8ebd4f9ed26e..68d7f89e431a 100644 --- a/include/net/handshake.h +++ b/include/net/handshake.h @@ -18,7 +18,8 @@ enum { }; =20 typedef void (*tls_done_func_t)(void *data, int status, - key_serial_t peerid); + key_serial_t peerid, + key_serial_t handshake_session_id); =20 struct tls_handshake_args { struct socket *ta_sock; @@ -31,6 +32,7 @@ struct tls_handshake_args { key_serial_t ta_my_privkey; unsigned int ta_num_peerids; key_serial_t ta_my_peerids[5]; + key_serial_t handshake_session_id; }; =20 int tls_client_hello_anon(const struct tls_handshake_args *args, gfp_t fla= gs); diff --git a/include/uapi/linux/handshake.h b/include/uapi/linux/handshake.h index 662e7de46c54..b68ffbaa5f31 100644 --- a/include/uapi/linux/handshake.h +++ b/include/uapi/linux/handshake.h @@ -55,6 +55,7 @@ enum { HANDSHAKE_A_DONE_STATUS =3D 1, HANDSHAKE_A_DONE_SOCKFD, HANDSHAKE_A_DONE_REMOTE_AUTH, + HANDSHAKE_A_DONE_SESSION_ID, =20 __HANDSHAKE_A_DONE_MAX, HANDSHAKE_A_DONE_MAX =3D (__HANDSHAKE_A_DONE_MAX - 1) diff --git a/net/handshake/genl.c b/net/handshake/genl.c index f55d14d7b726..6cdce7e5dbc0 100644 --- a/net/handshake/genl.c +++ b/net/handshake/genl.c @@ -16,10 +16,11 @@ static const struct nla_policy handshake_accept_nl_poli= cy[HANDSHAKE_A_ACCEPT_HAN }; =20 /* HANDSHAKE_CMD_DONE - do */ -static const struct nla_policy handshake_done_nl_policy[HANDSHAKE_A_DONE_R= EMOTE_AUTH + 1] =3D { +static const struct nla_policy handshake_done_nl_policy[HANDSHAKE_A_DONE_S= ESSION_ID + 1] =3D { [HANDSHAKE_A_DONE_STATUS] =3D { .type =3D NLA_U32, }, [HANDSHAKE_A_DONE_SOCKFD] =3D { .type =3D NLA_S32, }, [HANDSHAKE_A_DONE_REMOTE_AUTH] =3D { .type =3D NLA_U32, }, + [HANDSHAKE_A_DONE_SESSION_ID] =3D { .type =3D NLA_U32, }, }; =20 /* Ops table for handshake */ @@ -35,7 +36,7 @@ static const struct genl_split_ops handshake_nl_ops[] =3D= { .cmd =3D HANDSHAKE_CMD_DONE, .doit =3D handshake_nl_done_doit, .policy =3D handshake_done_nl_policy, - .maxattr =3D HANDSHAKE_A_DONE_REMOTE_AUTH, + .maxattr =3D HANDSHAKE_A_DONE_SESSION_ID, .flags =3D GENL_CMD_CAP_DO, }, }; diff --git a/net/handshake/tlshd.c b/net/handshake/tlshd.c index 081093dfd553..85c5fed690c0 100644 --- a/net/handshake/tlshd.c +++ b/net/handshake/tlshd.c @@ -26,7 +26,8 @@ =20 struct tls_handshake_req { void (*th_consumer_done)(void *data, int status, - key_serial_t peerid); + key_serial_t peerid, + key_serial_t handshake_session_id); void *th_consumer_data; =20 int th_type; @@ -39,6 +40,8 @@ struct tls_handshake_req { =20 unsigned int th_num_peerids; key_serial_t th_peerid[5]; + + key_serial_t handshake_session_id; }; =20 static struct tls_handshake_req * @@ -55,6 +58,7 @@ tls_handshake_req_init(struct handshake_req *req, treq->th_num_peerids =3D 0; treq->th_certificate =3D TLS_NO_CERT; treq->th_privkey =3D TLS_NO_PRIVKEY; + treq->handshake_session_id =3D TLS_NO_PRIVKEY; return treq; } =20 @@ -83,6 +87,13 @@ static void tls_handshake_remote_peerids(struct tls_hand= shake_req *treq, if (i >=3D treq->th_num_peerids) break; } + + nla_for_each_attr(nla, head, len, rem) { + if (nla_type(nla) =3D=3D HANDSHAKE_A_DONE_SESSION_ID) { + treq->handshake_session_id =3D nla_get_u32(nla); + break; + } + } } =20 /** @@ -105,7 +116,7 @@ static void tls_handshake_done(struct handshake_req *re= q, set_bit(HANDSHAKE_F_REQ_SESSION, &req->hr_flags); =20 treq->th_consumer_done(treq->th_consumer_data, -status, - treq->th_peerid[0]); + treq->th_peerid[0], treq->handshake_session_id); } =20 #if IS_ENABLED(CONFIG_KEYS) diff --git a/net/sunrpc/svcsock.c b/net/sunrpc/svcsock.c index 7b90abc5cf0e..2401b4c757f6 100644 --- a/net/sunrpc/svcsock.c +++ b/net/sunrpc/svcsock.c @@ -444,13 +444,15 @@ static void svc_tcp_kill_temp_xprt(struct svc_xprt *x= prt) * @data: address of xprt to wake * @status: status of handshake * @peerid: serial number of key containing the remote peer's identity + * @handshake_session_id: serial number of the userspace session ID * * If a security policy is specified as an export option, we don't * have a specific export here to check. So we set a "TLS session * is present" flag on the xprt and let an upper layer enforce local * security policy. */ -static void svc_tcp_handshake_done(void *data, int status, key_serial_t pe= erid) +static void svc_tcp_handshake_done(void *data, int status, key_serial_t pe= erid, + key_serial_t handshake_session_id) { struct svc_xprt *xprt =3D data; struct svc_sock *svsk =3D container_of(xprt, struct svc_sock, sk_xprt); diff --git a/net/sunrpc/xprtsock.c b/net/sunrpc/xprtsock.c index 3aa987e7f072..5c6e7543f293 100644 --- a/net/sunrpc/xprtsock.c +++ b/net/sunrpc/xprtsock.c @@ -2589,9 +2589,11 @@ static int xs_tcp_tls_finish_connecting(struct rpc_x= prt *lower_xprt, * @data: address of xprt to wake * @status: status of handshake * @peerid: serial number of key containing the remote's identity + * @handshake_session_id: serial number of the userspace session ID * */ -static void xs_tls_handshake_done(void *data, int status, key_serial_t pee= rid) +static void xs_tls_handshake_done(void *data, int status, key_serial_t pee= rid, + key_serial_t handshake_session_id) { struct rpc_xprt *lower_xprt =3D data; struct sock_xprt *lower_transport =3D --=20 2.51.1