kernel TLS configuration, was: Re: [ANNOUNCE] ktls-utils 1.0.0
Hannes Reinecke
hare at suse.de
Wed May 7 01:36:30 PDT 2025
On 5/7/25 09:58, Christoph Hellwig wrote:
> On Wed, May 07, 2025 at 10:50:00AM +0300, Sagi Grimberg wrote:
>> Just so I understand, this is a separate issue from passing the keyring to
>> tlshd correct? Is the suggesting that nfs will create a special .nfs keyring
>> similar to what nvme does?
>
> Yeah.
>
>> Note that nvme also allows the user to pass its own keyring (never tried
>> it before - we probably need a blktest for it //hannes). So in this case,
>> the
>> possessor will need to set user READ perms on the key itself (assuming that
>> it updated tlshd.conf to know this keyring)?
>
> I think so. Or give user read permissions for the keys (which from
> my limited undertanding renders the patches a bit useless).
>
> Let me send out my current patches and discuss it there.
>
The canonical way here is to link the requested keyring into the
session keyring of the calling process. That way you have access
to the keys in that keyring.
Cheers,
Hannes
--
Dr. Hannes Reinecke Kernel Storage Architect
hare at suse.de +49 911 74053 688
SUSE Software Solutions GmbH, Frankenstr. 146, 90461 Nürnberg
HRB 36809 (AG Nürnberg), GF: I. Totev, A. McDonald, W. Knoblich
More information about the Linux-nvme
mailing list