On 5/7/25 09:58, Christoph Hellwig wrote:
On Wed, May 07, 2025 at 10:50:00AM +0300, Sagi Grimberg wrote:
Just so I understand, this is a separate issue from passing the keyring to
tlshd correct? Is the suggesting that nfs will create a special .nfs keyring
similar to what nvme does?
Yeah.
Note that nvme also allows the user to pass its own keyring (never tried
it before - we probably need a blktest for it //hannes). So in this case,
the
possessor will need to set user READ perms on the key itself (assuming that
it updated tlshd.conf to know this keyring)?
I think so. Or give user read permissions for the keys (which from
my limited undertanding renders the patches a bit useless).
Let me send out my current patches and discuss it there.
The canonical way here is to link the requested keyring into the
session keyring of the calling process. That way you have access
to the keys in that keyring.
Cheers,
Hannes
--
Dr. Hannes Reinecke Kernel Storage Architect
hare@xxxxxxx +49 911 74053 688
SUSE Software Solutions GmbH, Frankenstr. 146, 90461 Nürnberg
HRB 36809 (AG Nürnberg), GF: I. Totev, A. McDonald, W. Knoblich
