[PATCH 0/9] Deliver TLS session tags to upper-layer consumers (NFSD)

Jeff Layton jlayton at kernel.org
Sat Jun 6 06:26:10 PDT 2026 

On Fri, 2026-06-05 at 13:34 -0400, Chuck Lever wrote:
> NFSD and similar upper-layer services want access-control decisions
> based on TLS peer-certificate characteristics, but in-kernel x.509
> parsing would duplicate work mature userspace libraries already do.
> This series gives tlshd a way to evaluate certificates against
> admin-defined policy and report matching policies back to the kernel
> as opaque string tags. The handshake layer plumbs the tags through to
> the upper-layer consumer's completion callback; intersection against
> per-resource tag sets stays the consumer's problem.
> 
> Four architectural choices shape the series, only one of which is
> visible in any single patch.
> 
> The tagging vocabulary is opaque to the kernel. tlshd decides what
> each tag means; the handshake layer and its consumers only test
> membership. This keeps x.509 out of the kernel and lets policy evolve
> at userspace speed. Any future attribute the kernel wants to gate on
> must be expressed as a tag rather than as a new netlink field per
> attribute.
> 
> DONE gains a privilege check (patch 1) as a prerequisite, not as
> cleanup. Without it, an unprivileged process guessing a sockfd could
> submit a forged DONE and effectively grant or deny tag membership
> for a real handshake. Once tags carry authorization weight, that
> pre-existing gap becomes load-bearing. The fix predates tags in
> principle and carries a Fixes: tag, but it sits at the head of this
> series so the rest of the work has a trustworthy foundation.
> 
> HANDSHAKE_MAX_SESSIONTAGS is advertised on every ACCEPT reply as
> HANDSHAKE_A_ACCEPT_MAX_TAGS (patch 6), so tlshd can size its
> DONE-side tag list against the kernel's runtime limit rather than
> guessing from header constants. If a daemon overruns anyway, the
> DONE handler truncates and logs one pr_warn_once rather than
> returning -E2BIG: tearing down a handshake the operator almost
> certainly wants to keep is a worse outcome than dropping a few
> tags. The truncation path is defense-in-depth for a buggy or
> stale agent, not the primary signal.
> 
> The tagset helper (patch 3) is split out as a generic library so
> NFSD export tagging (patches 8 and 9) can use it without further
> churn in net/handshake/.
> 
> ---
> Chuck Lever (9):
>       handshake: Require admin permission for DONE command
>       handshake: Add tags to "done" downcall
>       lib: Add a "tagset" data structure
>       handshake: Pick up session tags passed during the DONE downcall
>       handshake: Add a kunit test for the completion gate
>       handshake: advertise the session-tag cap to user space
>       SUNRPC: Copy the TLS session tags when they are available
>       NFSD: Implement export tagging
>       NFSD: Add allow_tags to the netlink export interface
> 
>  Documentation/core-api/index.rst           |   1 +
>  Documentation/core-api/tagset.rst          | 225 +++++++++++++++++++++++++++++
>  Documentation/netlink/specs/handshake.yaml |  16 ++
>  Documentation/netlink/specs/nfsd.yaml      |  10 ++
>  Documentation/networking/tls-handshake.rst |  63 +++++++-
>  drivers/nvme/host/tcp.c                    |   3 +-
>  drivers/nvme/target/tcp.c                  |   3 +-
>  fs/nfsd/export.c                           | 141 +++++++++++++++++-
>  fs/nfsd/export.h                           |  11 ++
>  fs/nfsd/netlink.c                          |   4 +-
>  fs/nfsd/netlink.h                          |   3 +-
>  fs/nfsd/trace.h                            |  19 +++
>  include/linux/sunrpc/svc_xprt.h            |   2 +
>  include/linux/tagset.h                     | 187 ++++++++++++++++++++++++
>  include/net/handshake.h                    |  30 +++-
>  include/uapi/linux/handshake.h             |   4 +
>  include/uapi/linux/nfsd_netlink.h          |   1 +
>  lib/Makefile                               |   1 +
>  lib/tagset.c                               | 174 ++++++++++++++++++++++
>  net/handshake/genl.c                       |   7 +-
>  net/handshake/handshake-test.c             |  72 +++++++++
>  net/handshake/handshake.h                  |   6 +
>  net/handshake/netlink.c                    | 109 +++++++++++++-
>  net/handshake/request.c                    |  68 ++++++++-
>  net/handshake/tlshd.c                      |  10 +-
>  net/sunrpc/svc_xprt.c                      |  11 +-
>  net/sunrpc/svcauth_unix.c                  |  12 ++
>  net/sunrpc/svcsock.c                       |  38 ++++-
>  net/sunrpc/xprtsock.c                      |   5 +-
>  29 files changed, 1205 insertions(+), 31 deletions(-)
> ---
> base-commit: 4d4d6605de5f91a40335729b6a7cc15e83b280f3
> change-id: 20260512-tls-session-tags-9d0042583f44
> 
> Best regards,
> --  
> Chuck Lever <chuck.lever at oracle.com>

I was wanting to review this, but I can't seem to get it to apply
cleanly to any known tree. What tree is this based on?
-- 
Jeff Layton <jlayton at kernel.org>

More information about the Linux-nvme mailing list