From nobody Tue Dec 16 21:17:40 2025 Received: from mail-pl1-f181.google.com (mail-pl1-f181.google.com [209.85.214.181]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 09CC51A262A for ; Tue, 2 Dec 2025 01:35:11 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.181 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764639314; cv=none; b=qNxeumoA8DLIM8zOUkakNOXrWseaHsCiAm99xR+YkSGq3xDGNx7xEU0kfrlhEsTYT44q3ByUfYL38kuk1ykP0EJIA1FZEmK/HtSDOyWbmm/e91DEFuYdlLcAsh/e1yIhAXgZ9OjGzHWUMCLzRFASIjy4nIAofBE2k0UArFhpofU= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764639314; c=relaxed/simple; bh=hz26PoRu8wHYwcbPcNok7LEN/UGSvwxHbi/hTcXSdHQ=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=Z7mf7mQH/ck/0kHtpSH8wniXu0eFLX88MJ5yG8C21KSECen+O8rc3Ba7ohKsMWw7mqBGb+Rcmm5AI4J+5IzMloA2BHDeGqVKzZw1Ofkg6Gjr+dN8bzrTczpeOshUJf1b/Pz8RF00oWa5uKcmcTKdwydY2jFCWJeN3PjRHsKNGDg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=HoupdSjY; arc=none smtp.client-ip=209.85.214.181 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="HoupdSjY" Received: by mail-pl1-f181.google.com with SMTP id d9443c01a7336-29ba9249e9dso55044525ad.3 for ; Mon, 01 Dec 2025 17:35:11 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1764639311; x=1765244111; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=kJvJhfPbnFYn3z6Y3dZFBcvJzRxMfFMy2X3buPGIRvg=; b=HoupdSjY34A/0OGSK+LDiB+6uAdnqhnhI4PwoGBZgTss1LecFTun8Zb7XoUqt0Ltpn VPEPqt+3BS6SG2FwUko0H26XZRWQXSdiaTPgpLX4sDkx6CZkFI4os5shlYa2PRtpQH64 b5biBtE1x0k4W660KH16aC9LD3xnlpgoVhGyxcSZPtaDiz8wT63ADdXIIPbW4R6PZ0Ty l46QnvbZc5zwIF/mRpBBRHGEDAWddkevuyv5ihTgAmu9WQC4G2EXnzAjRsgB7IkSsojP KlX6b0rmRlgslWXn1hulNhVkn+mRvuDJGIm6gnCMDoImq0jqr1Qtvkj+LJpSc+X1V55g c0NQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1764639311; x=1765244111; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=kJvJhfPbnFYn3z6Y3dZFBcvJzRxMfFMy2X3buPGIRvg=; b=SY9pFKktWDXXqzyhDJvgck9J12fyRdl+nmupx3SQ15phUKqU8E6phXLHECOlTCV7GR IaByWolti7TWCcIx3FMLqIumxZdvbpSK5gmd8RQaiAfJlZ24smgNG5twW2+7SR2XuiWm zCt8h5CooMYQyjTKLM1y5PFpU9P/eMJCFcNb4mAfmB9J2P07rpma6X2B23Y4kNyAI+0l SFivJgh/FfDqbG2cgzCmLPaH92xLyZq7WZd4xw1zLTNKPpEk3PsVXWsYWuRhJJrxhKJ+ lUC+oINqlvgenpFYqzTB5B00aMf85FYXST6gJ9gzqwDXQgvf1bWildvMy9OcCBqISbSY atJg== X-Forwarded-Encrypted: i=1; AJvYcCVLGtsX+l6u3Smpauo4rnJAUeuV/Opkb51O0pN7hEXEBhozYRAcYGFFNRo5AqmO+dy8sNQkQfnd8HidBA0=@vger.kernel.org X-Gm-Message-State: AOJu0YzbYs7/9usxO8QOy2myxfWKffM9uksyz0kfXWATkgT8Ob8Hc8R9 Vv6krsWT6yQlT0Au7Vk9eVfZOPi9IyUSveyQRUrZZbCiV82oQlYP9t3Lh0FsrA== X-Gm-Gg: ASbGncsQ7dUni3Roen7hqO1FW50hlnXWtKX9BoKHbcEUt4Z4MSLITxz57TEQCfHDUwt IBYhJQRVXFyu/yEVW9rmNyXHXKn1tvrcwyS0IlenkiepUB7wZxgcJmCCATM3hoLUk0jQYeptxRf ar+7ovfLGUZKa6XidzaxPXBohdYByh8SAWgnWw+okrlVcb0Ytz98yqcP8cSfs4yHX7u+Vwtjyth D/ez+MOvQHnrqrnRctP9h/iJRA+bjA4Kw6Qj6hoC0fly6TsApQ2Befed46fXO+qJD+qIFLE6Ec3 tcSU81592TOCUr9fWczgf147olnmuUHMYvF1UU2appNqYDnuEjXhupEbmIyC3EAdCHxvRpx9dQq /B3fbhc0dnyh9VGn8aLTw4b5kR1w9Tv+T1Ba2RsFDA7A7OQYJwfXJFBr17yyYDin2IG6pDwaO1B D3jaZw7sVXWLXEomDLc6RYfnltQBXUxZnKWqpGno71uRDMlADpoim2GEB38E/T2kyGASCxNe8lO ck4qYWJx21IpO9NGJc= X-Google-Smtp-Source: AGHT+IH83tJaSf6G3Voz30gvV9am+rP5Je0+3DRGMgD/fBbFGdbiYM3LHkSvkNZ0vjcndHQPHyhM1A== X-Received: by 2002:a17:903:37cd:b0:29a:2d0:c1b5 with SMTP id d9443c01a7336-29b6c4fc395mr396760085ad.22.1764639311213; Mon, 01 Dec 2025 17:35:11 -0800 (PST) Received: from toolbx.alistair23.me (2403-580b-97e8-0-82ce-f179-8a79-69f4.ip6.aussiebb.net. [2403:580b:97e8:0:82ce:f179:8a79:69f4]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-29bceb54563sm132378575ad.89.2025.12.01.17.35.05 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 01 Dec 2025 17:35:10 -0800 (PST) From: alistair23@gmail.com X-Google-Original-From: alistair.francis@wdc.com To: chuck.lever@oracle.com, hare@kernel.org, kernel-tls-handshake@lists.linux.dev, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, linux-doc@vger.kernel.org, linux-nvme@lists.infradead.org, linux-nfs@vger.kernel.org Cc: kbusch@kernel.org, axboe@kernel.dk, hch@lst.de, sagi@grimberg.me, kch@nvidia.com, hare@suse.de, alistair23@gmail.com, Alistair Francis Subject: [PATCH v6 1/5] net/handshake: Store the key serial number on completion Date: Tue, 2 Dec 2025 11:34:25 +1000 Message-ID: <20251202013429.1199659-2-alistair.francis@wdc.com> X-Mailer: git-send-email 2.51.1 In-Reply-To: <20251202013429.1199659-1-alistair.francis@wdc.com> References: <20251202013429.1199659-1-alistair.francis@wdc.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Alistair Francis Allow userspace to include a key serial number when completing a handshake with the HANDSHAKE_CMD_DONE command. We then store this serial number and will provide it back to userspace in the future. This allows userspace to save data to the keyring and then restore that data later. This will be used to support the TLS KeyUpdate operation, as now userspace can resume information about a established session. Signed-off-by: Alistair Francis Reviewed-by: Hannes Reincke Reviewed-by: Chuck Lever Reviewed-by: Sagi Grimberg --- v6: - Add the "ta_" and "th_" prefixs v5: - Change name to "handshake session ID" v4: - No change v3: - No change v2: - Change "key-serial" to "session-id" Documentation/netlink/specs/handshake.yaml | 4 ++++ Documentation/networking/tls-handshake.rst | 1 + drivers/nvme/host/tcp.c | 3 ++- drivers/nvme/target/tcp.c | 3 ++- include/net/handshake.h | 5 ++++- include/uapi/linux/handshake.h | 1 + net/handshake/genl.c | 5 +++-- net/handshake/tlshd.c | 15 +++++++++++++-- net/sunrpc/svcsock.c | 4 +++- net/sunrpc/xprtsock.c | 4 +++- 10 files changed, 36 insertions(+), 9 deletions(-) diff --git a/Documentation/netlink/specs/handshake.yaml b/Documentation/net= link/specs/handshake.yaml index 95c3fade7a8d..a273bc74d26f 100644 --- a/Documentation/netlink/specs/handshake.yaml +++ b/Documentation/netlink/specs/handshake.yaml @@ -87,6 +87,9 @@ attribute-sets: name: remote-auth type: u32 multi-attr: true + - + name: session-id + type: u32 =20 operations: list: @@ -123,6 +126,7 @@ operations: - status - sockfd - remote-auth + - session-id =20 mcast-groups: list: diff --git a/Documentation/networking/tls-handshake.rst b/Documentation/net= working/tls-handshake.rst index 6f5ea1646a47..c58b3c8b16c1 100644 --- a/Documentation/networking/tls-handshake.rst +++ b/Documentation/networking/tls-handshake.rst @@ -60,6 +60,7 @@ fills in a structure that contains the parameters of the = request: key_serial_t ta_my_privkey; unsigned int ta_num_peerids; key_serial_t ta_my_peerids[5]; + key_serial_t ta_handshake_session_id; }; =20 The @ta_sock field references an open and connected socket. The consumer diff --git a/drivers/nvme/host/tcp.c b/drivers/nvme/host/tcp.c index 9058ea64b89c..024d02248831 100644 --- a/drivers/nvme/host/tcp.c +++ b/drivers/nvme/host/tcp.c @@ -1694,7 +1694,8 @@ static void nvme_tcp_set_queue_io_cpu(struct nvme_tcp= _queue *queue) qid, queue->io_cpu); } =20 -static void nvme_tcp_tls_done(void *data, int status, key_serial_t pskid) +static void nvme_tcp_tls_done(void *data, int status, key_serial_t pskid, + key_serial_t handshake_session_id) { struct nvme_tcp_queue *queue =3D data; struct nvme_tcp_ctrl *ctrl =3D queue->ctrl; diff --git a/drivers/nvme/target/tcp.c b/drivers/nvme/target/tcp.c index 470bf37e5a63..7f8516892359 100644 --- a/drivers/nvme/target/tcp.c +++ b/drivers/nvme/target/tcp.c @@ -1780,7 +1780,8 @@ static int nvmet_tcp_tls_key_lookup(struct nvmet_tcp_= queue *queue, } =20 static void nvmet_tcp_tls_handshake_done(void *data, int status, - key_serial_t peerid) + key_serial_t peerid, + key_serial_t handshake_session_id) { struct nvmet_tcp_queue *queue =3D data; =20 diff --git a/include/net/handshake.h b/include/net/handshake.h index 8ebd4f9ed26e..d9b2411d5523 100644 --- a/include/net/handshake.h +++ b/include/net/handshake.h @@ -15,10 +15,12 @@ enum { TLS_NO_PEERID =3D 0, TLS_NO_CERT =3D 0, TLS_NO_PRIVKEY =3D 0, + TLS_NO_SESSION_ID =3D 0, }; =20 typedef void (*tls_done_func_t)(void *data, int status, - key_serial_t peerid); + key_serial_t peerid, + key_serial_t handshake_session_id); =20 struct tls_handshake_args { struct socket *ta_sock; @@ -31,6 +33,7 @@ struct tls_handshake_args { key_serial_t ta_my_privkey; unsigned int ta_num_peerids; key_serial_t ta_my_peerids[5]; + key_serial_t ta_handshake_session_id; }; =20 int tls_client_hello_anon(const struct tls_handshake_args *args, gfp_t fla= gs); diff --git a/include/uapi/linux/handshake.h b/include/uapi/linux/handshake.h index 662e7de46c54..b68ffbaa5f31 100644 --- a/include/uapi/linux/handshake.h +++ b/include/uapi/linux/handshake.h @@ -55,6 +55,7 @@ enum { HANDSHAKE_A_DONE_STATUS =3D 1, HANDSHAKE_A_DONE_SOCKFD, HANDSHAKE_A_DONE_REMOTE_AUTH, + HANDSHAKE_A_DONE_SESSION_ID, =20 __HANDSHAKE_A_DONE_MAX, HANDSHAKE_A_DONE_MAX =3D (__HANDSHAKE_A_DONE_MAX - 1) diff --git a/net/handshake/genl.c b/net/handshake/genl.c index f55d14d7b726..6cdce7e5dbc0 100644 --- a/net/handshake/genl.c +++ b/net/handshake/genl.c @@ -16,10 +16,11 @@ static const struct nla_policy handshake_accept_nl_poli= cy[HANDSHAKE_A_ACCEPT_HAN }; =20 /* HANDSHAKE_CMD_DONE - do */ -static const struct nla_policy handshake_done_nl_policy[HANDSHAKE_A_DONE_R= EMOTE_AUTH + 1] =3D { +static const struct nla_policy handshake_done_nl_policy[HANDSHAKE_A_DONE_S= ESSION_ID + 1] =3D { [HANDSHAKE_A_DONE_STATUS] =3D { .type =3D NLA_U32, }, [HANDSHAKE_A_DONE_SOCKFD] =3D { .type =3D NLA_S32, }, [HANDSHAKE_A_DONE_REMOTE_AUTH] =3D { .type =3D NLA_U32, }, + [HANDSHAKE_A_DONE_SESSION_ID] =3D { .type =3D NLA_U32, }, }; =20 /* Ops table for handshake */ @@ -35,7 +36,7 @@ static const struct genl_split_ops handshake_nl_ops[] =3D= { .cmd =3D HANDSHAKE_CMD_DONE, .doit =3D handshake_nl_done_doit, .policy =3D handshake_done_nl_policy, - .maxattr =3D HANDSHAKE_A_DONE_REMOTE_AUTH, + .maxattr =3D HANDSHAKE_A_DONE_SESSION_ID, .flags =3D GENL_CMD_CAP_DO, }, }; diff --git a/net/handshake/tlshd.c b/net/handshake/tlshd.c index 8f9532a15f43..e72f45bdc226 100644 --- a/net/handshake/tlshd.c +++ b/net/handshake/tlshd.c @@ -26,7 +26,8 @@ =20 struct tls_handshake_req { void (*th_consumer_done)(void *data, int status, - key_serial_t peerid); + key_serial_t peerid, + key_serial_t handshake_session_id); void *th_consumer_data; =20 int th_type; @@ -39,6 +40,8 @@ struct tls_handshake_req { =20 unsigned int th_num_peerids; key_serial_t th_peerid[5]; + + key_serial_t th_handshake_session_id; }; =20 static struct tls_handshake_req * @@ -55,6 +58,7 @@ tls_handshake_req_init(struct handshake_req *req, treq->th_num_peerids =3D 0; treq->th_certificate =3D TLS_NO_CERT; treq->th_privkey =3D TLS_NO_PRIVKEY; + treq->th_handshake_session_id =3D TLS_NO_SESSION_ID; return treq; } =20 @@ -83,6 +87,13 @@ static void tls_handshake_remote_peerids(struct tls_hand= shake_req *treq, if (i >=3D treq->th_num_peerids) break; } + + nla_for_each_attr(nla, head, len, rem) { + if (nla_type(nla) =3D=3D HANDSHAKE_A_DONE_SESSION_ID) { + treq->th_handshake_session_id =3D nla_get_u32(nla); + break; + } + } } =20 /** @@ -105,7 +116,7 @@ static void tls_handshake_done(struct handshake_req *re= q, set_bit(HANDSHAKE_F_REQ_SESSION, &req->hr_flags); =20 treq->th_consumer_done(treq->th_consumer_data, -status, - treq->th_peerid[0]); + treq->th_peerid[0], treq->th_handshake_session_id); } =20 #if IS_ENABLED(CONFIG_KEYS) diff --git a/net/sunrpc/svcsock.c b/net/sunrpc/svcsock.c index 7b90abc5cf0e..2401b4c757f6 100644 --- a/net/sunrpc/svcsock.c +++ b/net/sunrpc/svcsock.c @@ -444,13 +444,15 @@ static void svc_tcp_kill_temp_xprt(struct svc_xprt *x= prt) * @data: address of xprt to wake * @status: status of handshake * @peerid: serial number of key containing the remote peer's identity + * @handshake_session_id: serial number of the userspace session ID * * If a security policy is specified as an export option, we don't * have a specific export here to check. So we set a "TLS session * is present" flag on the xprt and let an upper layer enforce local * security policy. */ -static void svc_tcp_handshake_done(void *data, int status, key_serial_t pe= erid) +static void svc_tcp_handshake_done(void *data, int status, key_serial_t pe= erid, + key_serial_t handshake_session_id) { struct svc_xprt *xprt =3D data; struct svc_sock *svsk =3D container_of(xprt, struct svc_sock, sk_xprt); diff --git a/net/sunrpc/xprtsock.c b/net/sunrpc/xprtsock.c index 3aa987e7f072..5c6e7543f293 100644 --- a/net/sunrpc/xprtsock.c +++ b/net/sunrpc/xprtsock.c @@ -2589,9 +2589,11 @@ static int xs_tcp_tls_finish_connecting(struct rpc_x= prt *lower_xprt, * @data: address of xprt to wake * @status: status of handshake * @peerid: serial number of key containing the remote's identity + * @handshake_session_id: serial number of the userspace session ID * */ -static void xs_tls_handshake_done(void *data, int status, key_serial_t pee= rid) +static void xs_tls_handshake_done(void *data, int status, key_serial_t pee= rid, + key_serial_t handshake_session_id) { struct rpc_xprt *lower_xprt =3D data; struct sock_xprt *lower_transport =3D --=20 2.51.1